Authentication Alerts

It’s very important to confirm that requests received on your webhook are sent from Leaf, to avoid IP spoofing attacks. To this end, you should verify webhook signatures.

Leaf generates signatures using a hash-based message authentication code (HMAC) with SHA-256, and the secret specified when you created the alerts' configuration as the HMAC key. Be careful with deserialization of the request body when using it to verify the signature. It's recommended that you get the request body as bytes. The signed content has no line breaks and spaces after symbols, it's a string of the raw JSON with white-spaces after “:” and “,”.

The digest is added to the X-Leaf-Signature header encoded in base 64.

Here is an example on how to verify the request in your webhook:

• Python
• Java

import hmac

import base64

import json

payload = 'alert_payload'

# Sign the request body received with your secret

expected_sig = hmac.digest(msg=bytes(json.dumps(payload), 'utf-8'),

key=bytes('your secret key', 'utf-8'),

digest='sha256')

# Decode the base-64 encoded X-Leaf-Signature header that was sent in the event header

sig_header = "x-leaf-signature-in-header"

request_sig = base64.b64decode(sig_header)

# Compare both

hmac.compare_digest(expected_sig, request_sig)

The value alert_payload corresponds to the payload of the alerts.

For example, if you need to authenticate a created field, the alert_payload will be:

{

"source": "REST",

"leafUserId": "the id of the file owner",

"fieldId": "the id of the created field",

"timestamp": "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'",

"type": "fieldCreated"

}