Webhook Code ( Java )

The example below demonstrate how to verify a Webhook request in Java

public class TestWebhookService {

@Context

         HttpServletRequest request;

         private static final String POETIC_HMAC_SHA_256 = "X-Poetic-HMAC-SHA256";

         private static final String HMAC_SHA_256 = "HmacSHA256";

         private static final String UTF_8 = "UTF-8";

         @POST

         @Consumes({MediaType.APPLICATION_JSON

         })

         @Produces({MediaType.TEXT_PLAIN

         })

         public Response testWebhook() {

                 String requestBody = "";

String secretKey = System.getenv("X-Poetic-HMAC-SHA256");

                 String poeticHMACValueFromHeader = "";

                 boolean isRequestValid = false;

                 Response response = null;

                 try {

                          requestBody = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));

                          Enumeration<String> headerNames = request.getHeaderNames();

                          while (headerNames.hasMoreElements()) {

                                  String headerName = headerNames.nextElement();

                                  if (headerName.equalsIgnoreCase(POETIC_HMAC_SHA_256)) {

                                           poeticHMACValueFromHeader = request.getHeader(headerName);

                                           if (poeticHMACValueFromHeader == null) {

                                                   continue; // Should never happen, just in case

                                           }

                                           poeticHMACValueFromHeader = poeticHMACValueFromHeader.trim();

                                  }

                          }

                           isRequestValid = verifyHMACValue(poeticHMACValueFromHeader, requestBody, secretKey);

                           ResponseBuilder builder = null;

                          if(isRequestValid) {

                                  builder = Response.status(Response.Status.OK);

                                  builder.entity("Signature matched successfully");

                            } else {

                                  builder = Response.status(Response.Status.BAD_REQUEST);

                                  builder.entity("Bad Request - Signature mismatch");

                          }

                         if(builder != null) {

                                  response = builder.build();

                          }

                  } catch (IOException e) {

                          e.printStackTrace();

                 }

                 return response;

   }

  private boolean verifyHMACValue(String poeticHMACValueFromHeader, String requestBody, String secretKey)

         {

                 boolean isRequestValid = false;

                 try

                 {

                          final byte[] keyBytes = Base64.getDecoder().decode(secretKey);

                          byte[] rawHmac =  hmacSha256(requestBody, keyBytes);

                          String calculatedHMAC = Base64.getEncoder().encodeToString(rawHmac);

                          //Now verify that the actual HMAC in the request header is matching with the calculated HMAC value.

                          isRequestValid = calculatedHMAC.equals(poeticHMACValueFromHeader) ? true : false;

                 }

                 catch(Exception ex)

                 {

                          ex.printStackTrace();

                 }

                 return isRequestValid;

         }

private static byte[] hmacSha256(final String data, final byte[] key) throws NoSuchAlgorithmException, InvalidKeyException, IllegalStateException, UnsupportedEncodingException {

                 final Mac mac = Mac.getInstance(HMAC_SHA_256);

                 mac.init(new SecretKeySpec(key, HMAC_SHA_256));

                 return mac.doFinal(data.getBytes(UTF_8));

         }  

}