Processing Messages
All messages are sent to a publicly accessible http endpoint. This document contains instructions on how to securely authenticate the requests.
Messages are accompanied by an http header
X-Antenny-Sig
which contains an
cryptographically secure sha256 HMAC signature.
Modern programming languages have easy ways to
compute these signatures. To compute signature
follow these steps:
- Retrieve your customer secret from the Antenny dashboard
- Compute a base64 sha256 HMAC signature using the entire request body
- Compare the computed signature to the signature contained in the
X-Antenny-Sig
header
Example Code
const crypto = require('crypto');
const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors());
app.use(express.json());
app.post('/endpoint', (req, res, next) => {
// retrieve accompanying antenny signature
const sig = req.headers && req.headers['x-antenny-sig'];
if (!sig) {
// no signature present
res.status(400);
res.end();
return;
}
let body;
try {
// get string version of request body
body = JSON.stringify(req.body);
} catch (err) {
// bad body
res.status(400);
res.end();
return;
}
// customer secret provided by environment variable
const secret = process.env.CUSTOMER_SECRET;
const hmac = crypto.createHmac('sha256', secret);
hmac.update(body);
if (sig !== hmac.digest('base64')) {
// signature mismatch
res.status(400);
res.end();
return;
}
// signatures match - process request
res.status(200);
res.end();
});
module.exports = app;
If these signatures match, we can confidently say that Antenny was the sender of the request. If the signatures do not match, the request should be disregarded as it could be from a malicious 3rd party.
Customer Secret
It is imperative that your customer secret is kept secure. If it were to be exposed, your endpoint could be man in the middle attacks.