ExLine.Webhook.Signature (ExLine v0.1.0)

Copy Markdown View Source

Verifies the x-line-signature header on incoming webhook requests.

LINE signs the raw request body with HMAC-SHA256 using the channel secret, Base64-encodes it, and sends it in the x-line-signature header. The comparison is constant-time.

Make sure the raw body is preserved before your JSON parser consumes it (see ExLine.Webhook.BodyReader).

Ref: https://developers.line.biz/en/docs/messaging-api/receiving-messages/#verifying-signatures

Summary

Functions

sign(body, secret)

Computes the Base64-encoded HMAC-SHA256 signature for body under secret.

valid?(body, signature, secret)

Returns true iff signature is a valid LINE signature for body under secret.

Functions

sign(body, secret)

@spec sign(binary(), binary()) :: binary()

Computes the Base64-encoded HMAC-SHA256 signature for body under secret.

valid?(body, signature, secret)

@spec valid?(binary(), binary(), binary()) :: boolean()

Returns true iff signature is a valid LINE signature for body under secret.

iex> secret = "secret"
iex> body = ~s({"events":[]})
iex> sig = :crypto.mac(:hmac, :sha256, secret, body) |> Base.encode64()
iex> ExLine.Webhook.Signature.valid?(body, sig, secret)
true

iex> ExLine.Webhook.Signature.valid?(~s({"events":[]}), "wrong", "secret")
false