Organisations and third parties interested in integrating with LiveHeats can request to subscribe to webhook events and receive notifications when competitions are created or updated, or when their results are published to the rankings.
For added security, when a webhook event is delivered, the liveheats-signature header is included in the request. This header contains a timestamp and a signature and it's used to verify that the request came from LiveHeats.
The timestamp is prefixed by t=, and the signature is prefixed by a scheme. Schemes start with v, followed by an integer and =. Currently, the only valid signature scheme is v1=.
LiveHeats generates signatures using a hash-based message authentication code (HMAC) with SHA-512. To prevent downgrade attacks, you should ignore all schemes that are not v1.
Example of signature:
liveheats-signature:
t=1670370959,v1=d9c4869606be77c74531ac9c79dd21f625fa08488b2754cb2f8ae54d
How to verify a signature
Step 1: Extract the timestamp and signatures from the header
Split the header, using the , character as the separator, to get a list of elements. Then split each element, using the = character as the separator, to get a prefix and value pair.
The value for the prefix t corresponds to the timestamp, and v1 corresponds to the signature. You can discard all other elements.
Step 2: Prepare the signed_payload string
You achieve this by concatenating:
- The timestamp, i.e. the value of t (as a string).
- The character .
- The actual raw payload (i.e. the request’s body)
Step 3: Determine the expected signature
Compute an HMAC with the SHA512 hash function. Use the endpoint’s signing secret (your private key) as the key, and use the signed_payload string created in previous step as the message.
Step 4: Compare signatures
Compare the signature(s) in the header to the expected signature. If a signature matches, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
To protect against timing attacks, use a constant-time string comparison to compare the expected signature to each of the received signatures.