verifyWebhookSignature static method
Verifies webhook signature to ensure request is from Meta.
payload is the raw webhook payload
signature is the X-Hub-Signature-256 header value
appSecret is your Meta app secret
Implementation
static bool verifyWebhookSignature(
String payload,
String signature,
String appSecret,
) {
// Remove 'sha256=' prefix if present
final cleanSignature = signature.startsWith('sha256=')
? signature.substring(7)
: signature;
// Calculate expected signature
final key = utf8.encode(appSecret);
final bytes = utf8.encode(payload);
final hmac = Hmac(sha256, key);
final digest = hmac.convert(bytes);
final expectedSignature = digest.toString();
// Compare signatures securely
return _secureCompare(cleanSignature, expectedSignature);
}