adds signature verification implementations

Author: sufyankhanrao

.gitignore

@@ -162,3 +162,4 @@ cython_debug/
 # Visual Studio Code
 .vscode/
 .qodo
+*~

apimatic_core/__init__.py

@@ -12,5 +12,6 @@
     'logger',
     'exceptions',
     'constants',
-    'pagination'
+    'pagination',
+    'security'
 ]

apimatic_core/security/__init__.py

@@ -0,0 +1,3 @@
+__all__=[
+    'hmac_signature_verifier'
+]

apimatic_core/security/hmac_signature_verifier.py

@@ -0,0 +1,56 @@
+import hashlib
+import hmac
+from typing import Mapping
+
+from apimatic_core_interfaces.security.signature_verifier import SignatureVerifier
+
+
+class HmacSignatureVerifier(SignatureVerifier):
+    """
+    Verifier that checks webhook signatures using HMAC-SHA256.
+    """
+
+    def __init__(self, key: str, signature_header: str):
+        """
+        Initialize the HMAC signature verifier.
+
+        Args:
+            key (str): Secret key used for HMAC verification.
+            signature_header (str): Name of the HTTP header that carries the signature.
+
+        Raises:
+            ValueError: If key or signature_header is empty.
+        """
+        if not key:
+            raise ValueError("HMAC verification requires a non-empty key.")
+        if not signature_header:
+            raise ValueError("signature_header must be a non-empty string.")
+        self._key = key
+        self._signature_header = signature_header.lower()
+
+    def verify(self, headers: Mapping[str, str], payload: str) -> bool:
+        """
+        Verify the payload against the signature in headers.
+
+        Args:
+            headers (Mapping[str, str]): HTTP headers of the request.
+            payload (str): Raw request body as a JSON string.
+
+        Returns:
+            bool: True if the computed HMAC matches the provided signature.
+
+        Raises:
+            ValueError: If the signature header is missing.
+        """
+        normalized = {k.lower(): v for k, v in headers.items()}
+        provided = normalized.get(self._signature_header)
+        if not provided:
+            raise ValueError(f"Missing required header: {self._signature_header}")
+
+        computed = hmac.new(
+            self._key.encode("utf-8"),
+            payload.encode("utf-8"),
+            hashlib.sha256
+        ).hexdigest()
+
+        return hmac.compare_digest(provided, computed)

apimatic_core/security/no_op_signature_verifier.py

@@ -0,0 +1,23 @@
+from typing import Mapping
+
+from apimatic_core_interfaces.security.signature_verifier import SignatureVerifier
+
+
+class NoOpSignatureVerifier(SignatureVerifier):
+    """
+    Verifier that always returns True.
+    Useful for testing or when verification is disabled.
+    """
+
+    def verify(self, headers: Mapping[str, str], payload: str) -> bool:
+        """
+        Always returns True regardless of input.
+
+        Args:
+            headers (Mapping[str, str]): HTTP headers (ignored).
+            payload (str): Raw request body (ignored).
+
+        Returns:
+            bool: Always True.
+        """
+        return True

requirements.txt

@@ -1,6 +1,6 @@
 jsonpickle~=3.3.0
 python-dateutil~=2.8
-apimatic-core-interfaces~=0.1.0, >= 0.1.5
+git+https://github.com/apimatic/core-interfaces-python@webhooks-support
 requests~=2.31
 setuptools>=68.0.0
 jsonpointer~=2.3

setup.py

@@ -12,7 +12,7 @@
 
 setup(
     name='apimatic-core',
-    version='0.2.21',
+    version='0.2.22',
     description='A library that contains core logic and utilities for '
                 'consuming REST APIs using Python SDKs generated by APIMatic.',
     long_description=long_description,