forked from openai-php/client
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWebhookSignatureVerifier.php
More file actions
124 lines (104 loc) · 3.8 KB
/
WebhookSignatureVerifier.php
File metadata and controls
124 lines (104 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<?php
namespace OpenAI\Webhooks;
use DateTimeInterface;
use OpenAI\Exceptions\WebhookVerificationException;
use Psr\Http\Message\RequestInterface;
use RuntimeException;
use UnexpectedValueException;
readonly class WebhookSignatureVerifier
{
private string $secret;
/**
* @throws UnexpectedValueException
*/
public function __construct(
string $secret,
private int $tolerance = 300,
string $secretPrefix = 'whsec_',
) {
if (str_starts_with($secret, $secretPrefix)) {
$secret = substr($secret, strlen($secretPrefix));
}
$this->secret = base64_decode($secret, true)
?: throw new UnexpectedValueException('Invalid secret format');
}
/**
* @throws WebhookVerificationException|RuntimeException
*/
public function verify(RequestInterface $request): void
{
$body = $request->getBody();
$payload = $body->getContents();
$body->rewind();
$this->verifySignature($payload, [
'webhook-id' => trim($request->getHeaderLine('webhook-id')) ?: null,
'webhook-timestamp' => trim($request->getHeaderLine('webhook-timestamp')) ?: null,
'webhook-signature' => trim($request->getHeaderLine('webhook-signature')) ?: null,
]);
}
/**
* @param array{webhook-id: ?non-falsy-string, webhook-timestamp: ?non-falsy-string, webhook-signature: ?non-falsy-string} $headers
*
* @throws WebhookVerificationException
*/
final protected function verifySignature(string $payload, array $headers): void
{
if (! isset($headers['webhook-id'], $headers['webhook-timestamp'], $headers['webhook-signature'])) {
throw WebhookVerificationException::missingRequiredHeader();
}
[
'webhook-id' => $messageId,
'webhook-timestamp' => $messageTimestamp,
'webhook-signature' => $messageSignature,
] = $headers;
$timestamp = $this->verifyTimestamp($messageTimestamp);
$signature = $this->sign($messageId, $timestamp, $payload);
[, $expectedSignature] = explode(',', $signature, 2);
$passedSignatures = explode(' ', $messageSignature);
foreach ($passedSignatures as $versionedSignature) {
[$version, $passedSignature] = explode(',', $versionedSignature, 2);
if (strcmp($version, 'v1') !== 0) {
continue;
}
if (hash_equals($expectedSignature, $passedSignature)) {
return;
}
}
throw WebhookVerificationException::noMatchingSignature();
}
/**
* @throws WebhookVerificationException
*
* @internal
*/
final public function sign(string $messageId, DateTimeInterface|int $timestamp, string $payload): string
{
$timestamp = match (true) {
$timestamp instanceof DateTimeInterface => $timestamp->getTimestamp(),
is_int($timestamp) && $timestamp > 0 => $timestamp,
default => throw WebhookVerificationException::invalidTimestamp(),
};
$hash = hash_hmac(
'sha256',
implode('.', [$messageId, $timestamp, $payload]),
$this->secret,
);
$signature = base64_encode(pack('H*', $hash));
return 'v1,'.$signature;
}
/**
* @throws WebhookVerificationException
*/
protected function verifyTimestamp(string $timestampHeader): int
{
$now = time();
$timestamp = (int) $timestampHeader;
if ($timestamp < ($now - $this->tolerance)) {
throw WebhookVerificationException::timestampMismatch();
}
if ($timestamp > ($now + $this->tolerance)) {
throw WebhookVerificationException::timestampMismatch();
}
return $timestamp;
}
}