No examples of webhook signature verification.

[dgouldin]

The docs say your client libraries will handle signature verification:

https://clearbit.com/docs#webhooks-securing-webhooks

but I see no evidence of this in the python library.

[maccman]

Ah I'm afraid we've only added it to the Ruby library so far - you're right, we need to add it to the Python library too.

https://github.com/clearbit/clearbit-ruby/blob/master/lib/clearbit/webhook.rb#L11

[mgilson]

FWIW, I think that this should be able to be accomplished in python as follows:

import hmac
import hashlib
...
signature = get_header(request, 'X-Request-Signature')  # framework-specific way to get header from request...
body = get_body(request) # framework-specific way to get raw body from request...
signature_check = 'sha1=' + hmac.new('clearbit-api-key', body, hashlib.sha1).hexdigest()
if not hmac.compare_digest(signature, signature_check):
    # Attacker!!!!

Unfortunately, hmac.compare_digest wasn't added until python2.7.7 -- Older versions will need to fall back on the less secure if signature != signature_check: ...