ChrisChen/ROLAC
1
0
Fork 0
Code Issues 66 Pull Requests Actions Packages Projects Releases Wiki Activity

Add Line webhook signature verification helper

Browse Source 
Implements LineSignature.IsValid() using HMAC-SHA256 + FixedTimeEquals to prevent timing attacks; includes xUnit tests for valid, tampered, and null/empty header cases.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Chris Chen
2026-06-23 19:07:01 -07:00
parent 3544b6ee78
commit 85bf329d93
2 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
API/ROLAC.API/Services/Notifications/LineSignature.cs
+20
View File
@@ -0,0 +1,20 @@
using System.Security.Cryptography;
using System.Text;
namespace ROLAC.API.Services.Notifications;
/// <summary>Verifies the X-Line-Signature header (HMAC-SHA256 of the raw body, base64).</summary>
public static class LineSignature
{
public static bool IsValid(string channelSecret, byte[] rawBody, string? signatureHeader)
{
if (string.IsNullOrEmpty(signatureHeader)) return false;
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(channelSecret));
var expected = Convert.ToBase64String(hmac.ComputeHash(rawBody));
return CryptographicOperations.FixedTimeEquals(
Encoding.UTF8.GetBytes(expected),
Encoding.UTF8.GetBytes(signatureHeader));
}
}