Verify the signature

X-Inboxbase-Signature: t=1777278929,v1=4f3a91...c7b2

import { createHmac, timingSafeEqual } from "node:crypto";
import express from "express";

function verifyInboxbase(sigHeader, body, secret) {
  const parts = Object.fromEntries(
    sigHeader.split(",").map((p) => p.split("=")),
  );
  if (Math.abs(Date.now() / 1000 - Number(parts.t)) > 300) return false;
  const expected = createHmac("sha256", secret)
    .update(`${parts.t}.${body}`)
    .digest("hex");
  return timingSafeEqual(
    Buffer.from(expected, "hex"),
    Buffer.from(parts.v1, "hex"),
  );
}

const app = express();

app.post(
  "/12m",
  express.raw({ type: "application/json" }),
  (req, res) => {
    const ok = verifyInboxbase(
      req.header("X-Inboxbase-Signature"),
      req.body,
      process.env.WHSEC,
    );
    if (!ok) return res.status(401).end();
    const event = JSON.parse(req.body.toString());
    // handle event.type ...
    res.status(200).end();
  },
);

import hmac, hashlib, time
from flask import Flask, request

app = Flask(__name__)

def verify_12m(sig_header: str, raw_body: bytes, secret: str) -> bool:
    parts = dict(p.split("=") for p in sig_header.split(","))
    if abs(time.time() - int(parts["t"])) > 300:
        return False
    msg = f"{parts['t']}.{raw_body.decode('utf-8')}"
    expected = hmac.new(
        secret.encode(), msg.encode(), hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, parts["v1"])

@app.post("/12m")
def hook():
    if not verify_12m(
        request.headers["X-Inboxbase-Signature"],
        request.get_data(),
        os.environ["WHSEC"],
    ):
        return "", 401
    event = request.get_json(force=True)
    # handle event["type"] ...
    return "", 200