Created
October 18, 2018 21:09
-
-
Save benedwards44/41fedeaaa90974675df92bd824800fdc to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @RestResource (urlMapping='/xero/webhook') | |
| global without sharing class XeroWebhook { | |
| @HttpPost | |
| global static void processIntentToReceive () { | |
| // Retrieve the Xero signature from the headers | |
| String xeroSignature = RestContext.request.headers.get('x-xero-signature'); | |
| // Retrieve the Xero payload body | |
| String xeroPayload = RestContext.request.requestBody.toString(); | |
| // We need to validate that the Xero Payload is hashed using HMACSHA256 and the provided key, and base64 encoded | |
| // This encoded payload needs to match what was passed in the header from Xero. | |
| // Full details: | |
| // https://developer.xero.com/documentation/webhooks/configuring-your-server | |
| // Verify the signature using 'hmacSHA256'. I have the Webhook key stored in a Custom Setting | |
| Blob signedPayload = Crypto.generateMac('hmacSHA256', Blob.valueOf(xeroPayload), Blob.valueOf(Xero_Config__c.getInstance().Webhook_Key__c)); | |
| // Once we have the signed payload, encode it using base64 to convert back to a string | |
| String encodedPayload = EncodingUtil.base64Encode(signedPayload); | |
| // Return status code based on whether signed payload matches or not | |
| RestContext.response.statusCode = encodedPayload == xeroSignature ? 200 : 401; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment