bigcommerce - BigCommerce webhook 中的哈希字段是什么？

Question

它是如何产生的？我如何验证它？

https://developer.bigcommerce.com/api/webhooks-getting-started

{ 
  "store_id": 11111,  
  "producer": "stores/abcde",
  "scope": "store/order/statusUpdated",
  "data": { 
     "type": "order",
     "id": 173331
  },
  "hash": "3f9ea420af83450d7ef9f78b08c8af25b2213637"
}

Answer 1

@KarenWhite 在此线程中回答了他们的开发人员布道者。 https://support.bigcommerce.com/s/question/0D51B00004G6kJf/incoming-webhook-posts-hash-field-in-payload

It is hashed with SHA-1, but it is not signed with the client secret:

$payload['hash'] = sha1(json_encode($payload));

此外，2018 年市政厅记录了 webhook 安全性的立场 https://support.bigcommerce.com/s/article/BigCommerce-Town-Hall-February-2018

Q. How can I make sure that a webhook callback is initiated by BigCommerce only, and that the data is not altered between BigCommerce and my server endpoint? Can the hash returned in the webhook payload be used to verify the request?

A. Our webhooks today contain very little information -- they only contain an I.D. to go look up additional information. You would need to be authorized to verify that I.D. against the store’s API to determine the actual information being requested. We also secure our webhooks with TLS encryption, and enable developers to add their own headers to events for additional security.