Module webhook

Expand description

Webhook signature verification (HMAC-SHA256). See webhook::verify_signature. Webhook signature verification — HMAC-based, constant-time.

Most webhook providers (Stripe, GitHub, Slack, etc.) sign the request body with HMAC and put the signature in a header. This module verifies those signatures so you don’t run handler code on forged payloads.

§Quick start

use rustango::webhook::{verify_signature, SignatureFormat};

async fn handle_webhook(headers: HeaderMap, body: Bytes) -> impl IntoResponse {
    let signature = headers.get("X-Hub-Signature-256")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("");

    if !verify_signature(SignatureFormat::HexSha256, secret, &body, signature) {
        return StatusCode::UNAUTHORIZED;
    }
    // ... process the verified payload
    StatusCode::OK
}

Enums§

SignatureFormat: Signature encoding format — what the webhook provider sends.

Functions§

sign: Sign body with secret, producing a signature in the given format. Useful for generating webhooks (or in tests).
verify_signature: Verify signature against body using HMAC-SHA256 with secret.

Module webhook

Module webhook Copy item path

§Quick start

Enums§

Functions§

Module webhook