Authenticating server-to-server callbacks

To ensure system security, you must authenticate every callback request sent from the ZEGO server to your application server. You can verify the callback request by comparing the signature included in the request with the locally calculated signature.

Verifying the callback request signature

The following flow chart shows the signature calculation and verification process:

Sample code

Refer to the following sample code for how to generate and verify the callback request signature.

• Sample code in PHP

// Obtain the value of signature, timestamp, and nonce from the request parameters.
$signature = $_POST["signature"];
$timestamp = $_POST["timestamp"];
$nonce = $_POST["nonce"];

$secret = callbacksecret;// Use the CallbackSecret obtained from the ZEGO Admin Console.
$tmpArr = array($secret, $timestamp, $nonce);
sort($tmpArr, SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );

if( $tmpStr == $signature ){
    return true;
} else {
    return false;
}

• Sample code in Java

//  Obtain the value of signature, timestamp, and nonce from the request parameters.
String signature = request.getParameter("signature");
long timestamp = request.getParameter("timestamp");
String nonce = request.getParameter("nonce");

// Use the CallbackSecret obtained from the ZEGO Admin Console.
String secret = callbacksecret;

String[] tempArr = {secret, ""+timestamp, nonce};
Arrays.sort(tempArr);

String tmpStr = "";
for (int i = 0; i < tempArr.length; i++) {
    tmpStr += tempArr[i];
}
tmpStr = org.apache.commons.codec.digest.DigestUtils.sha1Hex(tmpStr);

return tmpStr.equals(signature);

Sample output

$timestamp = 1470820198;
$nonce = 123412;
$secret = 'secret';

The concatenated string before encryption:1234121470820198secret
The string generated after encryption:5bd59fd62953a8059fb7eaba95720f66d19e4517