Webhook signature validation - Python

I’ve previously posted example code for signature validation here for someone else having issues – although with Javascript, not Python. Their issue was that the value they were using for the body of the request was not the actual request body, I’m going to guess the same is true here.

Looking at the documentation for Werkzeug Request get_data I think you need to pass in as_text=True to obtain the right value for generating the signature.

If as_text is set to True the return value will be a decoded unicode string.

from hashlib import md5

secret = b'foo'
sighash = md5(secret)
sighash.update(request.get_data(as_text=True))
assert sighash.hexdigest() == request.headers['X-Patreon-Signature']

If this doesn’t help I’d recommend visiting the Register Webhooks page and use one of the example webhooks body in your code instead of pulling it from the request body to verify if your signature verification is written correctly, that will help ascertain where the issue lies.