Gravitywell Square Utils

A library to assist in the implementation of Square

Verify and Validate an Event Notification

Because your notification URL is public and can be called by anyone, you must validate each event notification to confirm that it came from Square. A non-Square post can potentially compromise your application. All webhook notifications from Square include an x-square-signature header. The value of this header is an HMAC-SHA1 signature generated using your webhook signature key, the notification URL, and the raw body of the request. You can validate the webhook notification by generating the HMAC-SHA1 in your own code and comparing it to the signature of the event notification you received.

The following function generates an HMAC-SHA1 signature from your signature key, the notification URL, and the event notification body. You can then compare the result with the event notification's x-square-signature.

Usage

import { isFromSquare } from "@gravitywelluk/square-utils";

// The URL where event notifications are sent.
const NOTIFICATION_URL = 'https://example.com/webhook';

// The event notification subscription signature key (sigKey) defined in dev portal for app.
const SIG_KEY = '<SIGNATURE_KEY>';

export const handler = gatewayProxyHandler(async event => {

  const rawBody = event.body;
  const squareSignature = event.headers['x-square-signature'];
  const eventIsFromSquare = isFromSquare(SIG_KEY, NOTIFICATION_URL, squareSignature, rawBody);
})