Verifying requests

const crypto = require('crypto');

function isValid(req, secret) {
  const signature = req.headers['x-hook-signature'];
  const digest = crypto
    .createHmac('sha256', secret)
    .update(req.rawBody)
    .digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(digest));
}

Make sure to read the body as a raw string before parsing it to JSON.