/verify-paddle-webhook

🔑 Keep your Paddle.com webhooks secure by verifying the payload signature with this NPM module.

Primary LanguageJavaScriptMIT LicenseMIT

Verify your Paddle.com Webhooks

Travis (.com) npm GitHub

Secure your webhooks with ease by validating whether they were really sent by Paddle.com.

Important: You will need your public key from your Paddle account. Find your public key.

Install

$ npm install verify-paddle-webhook

API

This package consists of one easy-to-use function - verifyPaddleWebhook - that checks the p_signature of your paddle webhook payloads against the public key of your account:

function verifyPaddleWebhook(publicKey, webhookData)

Arguments:

  • publicKey <string> This string is your account's public key.
  • webhookData <object> This is your webhook payload, it should be a Javascript object and it should include the p_signature property as sent by Paddle.

Basic Usage

const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

function isValid(paddleWebhookData) {
    return verifyPaddleWebhook(PUBLIC_KEY, paddleWebhookData);
}

Examples

Example: Express.js

const express = require('express');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

const app = express();
app.use(express.urlencoded());

app.post('/webhook', function(req, res) {
    if (verifyPaddleWebhook(PUBLIC_KEY, req.body)) {
        console.log('Webhook is valid!');
        // process the webhook
    }
    res.sendStatus(200);
});

app.listen(80);

Example: Using Node.js to parse the request body:

Paddle actually sends the payload in the body of a POST request formatted as a URL-encoded query string:

alert_id=1234567890&balance_currency=USD&balance_earnings=321.12&balance_fee=666.33 ...etc...

Many high-level frameworks will convert that into a JS object for use with verifyPaddleWebhook but if you need to convert it manually then you can use the Node.js querystring module to parse the body:

const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

function process(body) {
    const webhookData = querystring.parse(body);
    if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
        console.log('Webhook is valid!');
        // process the webhook
    }
}

Example: AWS Lambda function / Netlify function (Node.js)

This example works for AWS Lambda and Netlify.

Note: For AWS Lambda this assumes the Lambda function is invoked through AWS API Gateway using proxy integration (see tutorial).

For more detail see the Node.js example.

const querystring = require('querystring');
const {verifyPaddleWebhook} = require('verify-paddle-webhook');

const PUBLIC_KEY =
`-----BEGIN PUBLIC KEY-----
Your public key here
-----END PUBLIC KEY-----`;

exports.handler = async function(event, context) {
    const webhookData = querystring.parse(event.body);
    if (verifyPaddleWebhook(PUBLIC_KEY, webhookData)) {
        console.log('Webhook is valid!');
        // process the webhook
    }

    return {"statusCode": 200, "body": "OK"};
}