package webhook
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"strconv"
"strings"
"time"
)
func VerifyToAPIs(eventID, timestamp, signature string, body []byte, secrets []string) bool {
ts, err := strconv.ParseInt(timestamp, 10, 64)
if err != nil || time.Now().Unix()-ts > 300 || ts-time.Now().Unix() > 300 {
return false
}
signed := append([]byte(eventID+"."+timestamp+"."), body...)
received := strings.Split(signature, ",")
for _, secret := range secrets {
mac := hmac.New(sha256.New, []byte(secret))
_, _ = mac.Write(signed)
expected, _ := hex.DecodeString(hex.EncodeToString(mac.Sum(nil)))
for _, value := range received {
value = strings.TrimSpace(value)
if !strings.HasPrefix(value, "v1=") {
continue
}
actual, err := hex.DecodeString(strings.TrimPrefix(value, "v1="))
if err == nil && hmac.Equal(expected, actual) {
return true
}
}
}
return false
}