refactored DefaultSignatureValidator.php to handle all supported gateways webhook signature validation

Author: MusahMusah

config/multipayment-gateways.php

@@ -33,6 +33,11 @@
              */
             'name' => 'stripe',
 
+            /**
+             * When set to false, the package will not verify the signature of the webhook call.
+             */
+            'verify_signature' => true,
+
             /*
              * This secret key is used to validate the signature of the webhook call.
              */
@@ -82,6 +87,11 @@
              */
             'name' => 'paystack',
 
+            /**
+             * When set to false, the package will not verify the signature of the webhook call.
+             */
+            'verify_signature' => true,
+
             /*
              * This secret key is used to validate the signature of the webhook call.
              */
@@ -131,6 +141,11 @@
              */
             'name' => 'flutterwave',
 
+            /**
+             * When set to false, the package will not verify the signature of the webhook call.
+             */
+            'verify_signature' => true,
+
             /*
              * This secret key is used to validate the signature of the webhook call.
              */

src/Services/PaymentWebhookConfig.php

@@ -22,6 +22,8 @@ class PaymentWebhookConfig
 
     public string $paymentWebhookHandler;
 
+    public string $verify_signature;
+
     public string|ProcessPaymentWebhookJob $paymentWebhookJobClass;
 
     public string|PaymentWebhookReceivedEvent $paymentWebhookEventClass;
@@ -33,6 +35,8 @@ public function __construct(array $properties)
     {
         $this->name = $properties['name'];
 
+        $this->verify_signature = $properties['verify_signature'];
+
         $this->signingSecret = $properties['signing_secret'] ?? '';
 
         $this->signatureHeaderName = $properties['signature_header_name'] ?? '';

src/SignatureValidator/DefaultSignatureValidator.php

@@ -9,6 +9,23 @@ class DefaultSignatureValidator implements PaymentWebhookSignatureValidator
 {
     public function isValid(Request $request, PaymentWebhookConfig $config): bool
     {
-        return true;
+        if (! config(key: $config->verify_signature)) return true;
+
+        if ((! $request->isMethod(method: 'post')) || ! $request->header(key: $config->signatureHeaderName)) return false;
+
+        $signature = $this->validateSignature(gatewayName: $config->name, requestContent: $request->getContent(), signingSecret: $config->signingSecret);
+
+        if ($signature !== $request->header(key: $config->signatureHeaderName)) return false;
+
+        return hash_equals(known_string: $signature, user_string: $request->header(key: $config->signatureHeaderName));
+    }
+
+    private function validateSignature($gatewayName, $requestContent, $signingSecret): string
+    {
+        // @phpstan-ignore-next-line
+        return match ($gatewayName) {
+            'paystack' => hash_hmac(algo: 'sha512', data: $requestContent, key: $signingSecret),
+            'stripe', 'flutterwave' => hash_hmac(algo: 'sha256', data: $requestContent, key: $signingSecret),
+        };
     }
 }