prajwal89/webhook-verifier

Verify incoming webhooks with php

Maintainers

Details

github.com/prajwal89/webhook-verifier

Source

Issues

Installs: 9

Dependents: 0

Suggesters: 0

Security: 0

Stars: 1

Watchers: 1

Forks: 0

Open Issues: 0

v0.1.1 2025-04-08 09:03 UTC

Requires

  • php: >=7.4

Requires (Dev)

MIT b000029b5da2e18e6fefedb6da2f567e653a2008

This package is auto-updated.

Last update: 2025-04-08 09:31:35 UTC

README

A PHP implementation of the Standard Webhooks signature verification.

Installation

You can install the package via composer:

composer require prajwal89/webhook-verifier

Usage

Basic Usage

<?php

require 'vendor/autoload.php';

use StandardWebhooks\WebhookVerifier;
use StandardWebhooks\Exceptions\WebhookVerificationException;

$secret = 'whsec_MfKQ9r4OrVlYAKE4QxSvsCUQvxgwauQ'; // Your webhook secret
$verifier = new WebhookVerifier($secret);

// Get the request headers
$headers = [
    'webhook-id' => $_SERVER['HTTP_WEBHOOK_ID'],
    'webhook-timestamp' => $_SERVER['HTTP_WEBHOOK_TIMESTAMP'],
    'webhook-signature' => $_SERVER['HTTP_WEBHOOK_SIGNATURE'],
];

// Get the raw request payload
$payload = file_get_contents('php://input');

try {
    // Verify the signature and get the decoded data
    $data = $verifier->verify($payload, $headers);
    
    // Process the verified webhook data
    handleWebhook($data);
    
    http_response_code(200);
    echo json_encode(['success' => true]);
} catch (WebhookVerificationException $e) {
    // Handle verification failure
    http_response_code(401);
    echo json_encode(['error' => $e->getMessage()]);
}

function handleWebhook($data) {
    // Process your webhook data here
    // $eventType = $data['event'];
    // ...
}

Exception Handling

The package provides three exception types:

  1. WebhookVerificationException - Base exception class for all webhook verification errors
  2. SignatureException - Thrown when there's an issue with the signature
  3. TimestampException - Thrown when there's an issue with the timestamp

You can catch these exceptions separately if you need specific error handling:

try {
    $data = $verifier->verify($payload, $headers);
    // Process webhook
} catch (TimestampException $e) {
    // Handle timestamp issues (e.g., expired webhook)
    echo "Timestamp error: " . $e->getMessage();
} catch (SignatureException $e) {
    // Handle signature issues (e.g., tampered payload)
    echo "Signature error: " . $e->getMessage();
} catch (WebhookVerificationException $e) {
    // Handle other verification issues
    echo "Verification error: " . $e->getMessage();
}

Security

The package uses constant-time comparison to prevent timing attacks when verifying signatures.

The default tolerance for timestamp verification is 5 minutes (300 seconds) to account for minor time differences between servers.

Testing

composer test

License

The MIT License (MIT). Please see License File for more information.