We've finalized our Partner integration for Chameleon and here is the code snippet that we use to verify the authenticity of webhooks coming from Heap!
class HeapSegments < Application
before_action :check_signature!
def create
# queue for subsequent processing
json_200
end
private
def check_signature!
info = request.headers['Heap-Hash'].to_s.split(/\s*,\s*/).map {|part| part.split(':') }.to_h
timestamp = info['ts'].to_i/1000
signature = Base64.encode64(OpenSSL::HMAC.digest('SHA256', ENV['HEAP_WEBHOOK_SECRET'], "#{info['ts']}#{request.raw_post}")).chomp
json_403 unless timestamp > 5.seconds.ago.to_i && timestamp < 1.second.from_now.to_i
json_403 unless ActiveSupport::SecurityUtils.secure_compare(info['hmac'], signature)
end
end
We've finalized our Partner integration for Chameleon and here is the code snippet that we use to verify the authenticity of webhooks coming from Heap!