PWA-implementation

LittleShop/Services/BTCPayServerService.cs

@@ -83,9 +83,28 @@ public class BTCPayServerService : IBTCPayServerService
 
     public Task<bool> ValidateWebhookAsync(string payload, string signature)
     {
-        // Implement webhook signature validation
-        // This is a simplified version - in production, implement proper HMAC validation
-        return Task.FromResult(true);
+        try
+        {
+            // BTCPay Server uses HMAC-SHA256 with format "sha256=<hex>"
+            if (!signature.StartsWith("sha256="))
+            {
+                return Task.FromResult(false);
+            }
+
+            var expectedHash = signature.Substring(7); // Remove "sha256=" prefix
+            var secretBytes = System.Text.Encoding.UTF8.GetBytes(_webhookSecret);
+            var payloadBytes = System.Text.Encoding.UTF8.GetBytes(payload);
+
+            using var hmac = new System.Security.Cryptography.HMACSHA256(secretBytes);
+            var computedHash = hmac.ComputeHash(payloadBytes);
+            var computedHashHex = Convert.ToHexString(computedHash).ToLowerInvariant();
+
+            return Task.FromResult(expectedHash.Equals(computedHashHex, StringComparison.OrdinalIgnoreCase));
+        }
+        catch
+        {
+            return Task.FromResult(false);
+        }
     }
 
     private static string GetCurrencyCode(CryptoCurrency currency)