HMAC Verification

const crypto = require('crypto')

function verifySignature(rawBody, signatureHeader, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex')

  return crypto.timingSafeEqual(
    Buffer.from(signatureHeader),
    Buffer.from(expected)
  )
}

// Express — use express.raw() to preserve the raw body
app.post('/webhooks/steadpay', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['x-steadpay-signature']
  if (!verifySignature(req.body, sig, process.env.STEADPAY_WEBHOOK_SECRET)) {
    return res.status(400).send('Invalid signature')
  }

  const payload = JSON.parse(req.body)
  // process payload...
  res.sendStatus(200)
})