Webhook 触发与签名校验
触发入口:
POST /linker/triggers/webhook/<triggerId>
请求体:
- 任意二进制内容,常见为
application/json的 JSON 请求
签名与安全策略(参考 TriggerController#webhook 与 verifyWebhookSignature):
- 若触发器未配置
webhookSecret,则不进行签名校验(兼容内网或测试环境) - 若配置了
webhookSecret,则:-
时间戳头:默认读取
X-Timestamp(或配置的webhookTimestampHeader) -
签名头:默认读取
X-Signature(或配置的webhookSignatureHeader) -
时间戳为秒级 Unix 时间戳(
Instant.now().getEpochSecond()) -
允许的时间偏差为
webhookMaxSkewSeconds秒,超出则拒绝请求 -
待签名内容为:
<timestamp>.<body-as-utf8-string> -
签名算法为:
HMAC-SHA256(secret, signedPayload),结果编码为十六进制小写字符串 -
请求头中的签名支持形如:
sha256=<hex>,会自动去掉前缀后再比对 -
使用常量时间比较避免计时攻击
-
客户端示例(伪代码):
TIMESTAMP=$(date +%s)
BODY='{"event":"order.created","id":"evt_123","amount":100}'
SIGNED_PAYLOAD="${TIMESTAMP}.${BODY}"
SIGNATURE_HEX=$(echo -n "$SIGNED_PAYLOAD" | \
openssl dgst -sha256 -hmac "my-signing-secret" | \
sed 's/^.* //')
curl -X POST "${API_BASE}/linker/triggers/webhook/<triggerId>" \
-H "Content-Type: application/json" \
-H "X-Timestamp: ${TIMESTAMP}" \
-H "X-Signature: sha256=${SIGNATURE_HEX}" \
-d "$BODY"