Validating payload from Facebook webhook in Ruby on Rails

You don’t have to validate the payload, but you should. — Facebook Docs

payload = request.body.read
sig_header = request.headers["X-Hub-Signature"]
# Only considering part after sha1= in signature header
sig_header.slice! "sha1="
app_secret = Figaro.env.FB_APP_SECRET
sign = get_sha_sign(payload, app_secret)def get_sha_sign(payload, app_secret)    
return OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), app_secret.encode("ASCII"), payload.encode("ASCII"))
end
if sign != sig_header      
raise BaseError::InvalidRequest.new("Invalid Signature")
end
render plain: "OK"
Rails Validate Facebook Webhook Payload

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store