Securing webhook request

in Development
Hi all,
We are using the Lightspeed webhooks a lot, and want to validate them now. We work in PHP.
"The header "X-Signature" should be available and is a md5 hash of the incoming payload . app_secret of the .env file"
Now when we retrieve a webhook, we get the data of it via $request->all(). I can also retrieve the X-Signature via $request->header('X-Signature').
However, when I do md5($request->all() . app_secret), this does not match the md5 hash in $request->header('X-Signature').
Anyone knows what I'm doing wrong?
Kind regards,
Eelco
We are using the Lightspeed webhooks a lot, and want to validate them now. We work in PHP.
"The header "X-Signature" should be available and is a md5 hash of the incoming payload . app_secret of the .env file"
Now when we retrieve a webhook, we get the data of it via $request->all(). I can also retrieve the X-Signature via $request->header('X-Signature').
However, when I do md5($request->all() . app_secret), this does not match the md5 hash in $request->header('X-Signature').
Anyone knows what I'm doing wrong?
Kind regards,
Eelco
2 comments
this is a difficult one, it seems that the Hash process on the server doesn't match the one you are using. I will have to go over this with the Dev team to see if I can get a straight answer.
I will get back to you as soon as I've received an update. Thank you!
I would try $request->getBody().
Lightspeed HQ