guideRequest signature in ASP.NET

This article presents a sample implementation of a request signature in ASP.NET.

# Dependencies

This example uses System dependencies from ASP.NET.

# Example

The following simple example implements the algorithm described in the Request signature guide. The most important thing is to use the HMACSHA256 from System.Security.Cryptography and pass the parameters in the correct order: method, url, timestamp, body.

The method parameter should be uppercased and the url should contain only the path from the URL, not the full URL address.

To verify the correctness of the implemented request signature algorithm you can use data from the sample below. For the provided sample data the correct request signature is 56ac656c7f932c5b775be28949e90af9a2356eae2826539f10ab6526a0eec762.

using System;
using System.Text;
using System.Security.Cryptography;

public class Program
{
    public static void Main()
    {
        string apiSecret= "SECRET";
        string method= "POST";
        string path= "/webhook?a=1";
        string timestampMilliseconds= "1563276169752";
        string body = "{\"a\":1}";

        string signature = GenerateSignature(apiSecret, method, path, timestampMilliseconds, body);

        Console.WriteLine(signature == "56ac656c7f932c5b775be28949e90af9a2356eae2826539f10ab6526a0eec762");
    }

     public static string GenerateSignature(string apiSecret, string method, string path, string timestampMilliseconds, string body = null)
     {
         string upperMethod = method.ToUpper();
         string message = upperMethod + path + timestampMilliseconds;

         if (!string.IsNullOrEmpty(body) && (upperMethod == "POST" || upperMethod == "PUT"))
         {
             message += body;
         }

         return HmacSha256Digest(message, apiSecret);
     }

    public static string HmacSha256Digest(string message, string secret)
    {
        UTF8Encoding utf8Encoder = new UTF8Encoding();
        byte[] encodedSecret = utf8Encoder.GetBytes(secret);
        byte[] encodedMessage = utf8Encoder.GetBytes(message);

        HMACSHA256 hmac256 = new HMACSHA256(encodedSecret);
        byte[] messageHash = hmac256.ComputeHash(encodedMessage);

        return BitConverter.ToString(messageHash).Replace("-", "").ToLower();
    }
}