Context
Once a webhook has been activated, each time one of the events associated with the webhook occurs ProAbono will send a request (Http POST) to the specified URL .
In order to secure exchanges and prevent someone from usurping ProAbono’s identity, it is strongly recommended to use our verification system by calculating a digital signature.
Process
1/ Get your business key
From ProAbono backoffice
- click on sur “Integration” from left menu.
- click on “Webhooks” tab.
- Then on “sécuriser mes webhooks”.
- Choose the Sample corresponding to your development language
- Copy the “secret-key“ or directly the piece of code provided.
2/ Retrieve the keys returned by the webhook
From the POST request sent by ProAbono, retrieve the following parameters provided in the header:
- x-proabono-key (uniq identifier of the webhook)
- x-proabono-signature (expected result after calculation)
3/ verify the authenticity of the source
use following method:
- Concat x-proabono-key and secret-key
- Hash the concat string with a SHA-256 algorithm.
- Encode the result in base64.
- Compare the result with x-proabono-signature public key.
If equals then notification comes from ProAbono.
PHP code sample:
<?php
function isValidWebhook ($keyRequest, $keyBusiness, $keySignature)
{
$concatKey = $keyRequest.$keyBusiness;
$calculatedHash = base64_encode(hash('sha256', $concatKey, true));
return ($keySignature == $calculatedHash);
}
$keyRequest is x-proabono-key
$keyBusiness is secret-key
$keySignature is x-proabono-signature