From 2029976f0c00184b20c30aec1160a1da104de8c7 Mon Sep 17 00:00:00 2001
From: Mathieu Guindon <mathieu.guindon@live.ca>
Date: Wed, 5 Feb 2025 12:58:36 -0500
Subject: [PATCH] use HMACSHA256

---
 rubberduckvba.Server/WebhookSignatureValidationService.cs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/rubberduckvba.Server/WebhookSignatureValidationService.cs b/rubberduckvba.Server/WebhookSignatureValidationService.cs
index 28cc8ab..d71a375 100644
--- a/rubberduckvba.Server/WebhookSignatureValidationService.cs
+++ b/rubberduckvba.Server/WebhookSignatureValidationService.cs
@@ -61,11 +61,13 @@ private bool IsValidSignature(string? signature, string payload)
         {
             return false;
         }
-        using var sha256 = SHA256.Create();
 
         var secret = configuration.GitHubOptions.Value.WebhookToken;
-        var bytes = Encoding.UTF8.GetBytes(secret + payload);
-        var check = $"sha256={Encoding.UTF8.GetString(sha256.ComputeHash(bytes))}";
+        var secretBytes = Encoding.UTF8.GetBytes(secret);
+        var payloadbytes = Encoding.UTF8.GetBytes(payload);
+
+        using var digest = new HMACSHA256(secretBytes);
+        var check = $"sha256={Encoding.UTF8.GetString(digest.ComputeHash(payloadbytes))}";
 
         return signature == check;
     }