At Woovi we think a lot about any tiny decision, and how it can impact our business and product in the short and long term.
One common request from our users it to be able to whitelist a set of IP, or an IP range to protect their Webhook callback endpoints that receive notification of a new payment received.
Providing a fixed set of IP for our users would cause a lot of drawbacks when scaling our services.
Drawbacks of IP whitelist
Imagine we have a list of fixed IPs, and we need to change them in the future. We would need to notify all our users to modify their IP whitelist to add the new IPs. For the ones that didn't modify in a timely fashion, it would break their payment integrations, causing a lot of customer support requests.
Another drawbacks of a fixed set of IPs are that they are easily target for hacker attacks.
A more robust approach
Security is non-negotiable for us.
Our users still need to validate if the payment confirmation notification comes only from Woovi servers.
To make this possible we sign all Webhooks notifications using our private key.
And user servers validate each request using Woovi Public Key.
This approach also ensure the payload was not tampered.
Below is a sample JavaScript code that can be used to validate a webhook payload.
import crypto from 'crypto';
const algorithm = 'sha256';
const signatureFormat = 'base64';
export const verifyPayload = (payload, signature) => {
const publicKey = Buffer.from(WOOVI_PUBLIC_KEY_BASE64, 'base64').toString('ascii');
const verify = crypto.createVerify(algorithm);
verify.write(Buffer.from(payload));
verify.end();
const isValid = verify.verify(publicKey, signature, signatureFormat);
return isValid;
};
Here is our Public Key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/+NtIkjzevvqD+I3MMv3bLXDt
pvxBjY4BsRrSdca3rtAwMcRYYvxSnd7jagVLpctMiOxQO8ieUCKLSWHpsMAjO/zZ
WMKbqoG8MNpi/u3fp6zz0mcHCOSqYsPUUG19buW8bis5ZZ2IZgBObWSpTvJ0cnj6
HKBAA82Jln+lGwS1MwIDAQAB
-----END PUBLIC KEY-----
In Conclusion
Using a Private/Public key validation is simpler than doing IP whitelist or using HMAC.
We are adding the signature validation check to our all SDKs to make our users integration easier than ever.
We also want to make it easy to add this validation for most common firewall solutions like Cloudflare.
Woovi
Woovi is a Startup that enables shoppers to pay as they like. To make this possible, Woovi provides instant payment solutions for merchants to accept orders.
If you want to work with us, we are hiring!
Photo by Scott Rodgerson on Unsplash
Top comments (1)
Excellent article when you're in full control of the IP Whitelist situation! Having a more-robust alternative to securely communicate between parties is very useful.
As someone who has to deal with IP whitelists between our customers and our third-parties vendors (ex: transactional emails), I've seen plenty of push back on IP Whitelists, especially if that IP is a multi-tenant resource from the third party.