@Bryan-Square the request always responds with
2XX now. Can you help me debug why a test event signature verifies correctly but a real event from the sandbox does not?
This is what the verification code looks like which works for test events sent through the dashboard:
# Validates HMAC-SHA1 signatures included in webhook notifications to ensure notifications came from Square
def valid_square_signature?(body, signature)
square_webhook_signature_key = ENV['SQUARE_WEBHOOK_SIGNATURE_KEY']
logger.warn "HandleSquareWebhook: Cannot verify webhook, missing signature key. Aborting."
# Combine your webhook notification URL and the JSON body of the incoming request into a single string
string_to_sign = WEBHOOK_URL + body.gsub(/\s+/, "")
# Generate the HMAC-SHA1 signature of the string, signed with your webhook signature key
string_signature = Base64.strict_encode64(OpenSSL::HMAC.digest('sha1', square_webhook_signature_key, string_to_sign))
# Hash the signatures a second time (to protect against timing attacks)
# and compare them
Digest::SHA1.base64digest(string_signature) == Digest::SHA1.base64digest(signature)