So I am trying to verify twitch webhook notification payload.
I compute hash like following code.
:crypto.hmac(:sha256, "s3cRe7", Poison.encode!(conn.body_params)) |> Base.encode16(case: :lower)
I have already checked that content-length equals to encoded body_params.
But not match it to x-hub-signature.
And I tried to use Plug.Crypto.MessageVerifier, but not matched.
Guide is here.
If a secret was provided when you created the subscription, Twitch signs the notification payload using that secret. We strongly recommend you verify the signature to confirm that the notification is genuine.
To verify payloads, you need to compute the hash properly. A common reason this may fail is unexpected string manipulation (e.g., JSON encoding or character escaping), which is done automatically by some web frameworks. To debug this, verify that the value of the content-length header matches the number of bytes you received in the notification payload. You may discover that notification hashing for payloads is failing due to unusual Unicode.