/**
* @param array<string, string> $headers // Incoming HTTP headers
* @param string $rawBody // Raw JSON request body
* @param string $secret // Shared secret key
* @return bool // Whether the signature is valid
*/
function validate_webhook(array $headers, string $rawBody, string $secret): bool {
$receivedSignature = $headers['X-Webhook-Signature'] ?? '';
$timestamp = $headers['X-Webhook-Timestamp'] ?? '';
$body = json_decode($rawBody, true);
$webhookPayload = [
"webhook_id" => $body["webhook_id"],
"url" => $body["url"],
"event" => $body["event"],
"resource_id" => $body["resource_id"],
"payload" => $body["payload"],
"timestamp" => $timestamp
];
$expectedSignature = hash_hmac(
'sha256',
json_encode($webhookPayload, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE),
$secret
);
return hash_equals($expectedSignature, $receivedSignature);
}
