Invalid Signature (no signature in header?)

[CNRP]

So I'm tying to accept a webhook from compare-my-move and I'm having trouble with the signature being invalid on my server..

I changed my URL to point to pipedream so I could test it.. and It seems as though there is no secret in the headers of the response? Instead appears to be in the body..

{
  "method": "POST",
  "path": "/",
  "query": {},
  "client_ip": "185.116.212.169",
  "url": "https://d2469033e9e3ba6ea6dd6602f22cfa9e.m.pipedream.net/",
  "headers": {
    "0": "Accept: application/json",
    "1": "Content-Type: application/json",
    "host": "d2469033e9e3ba6ea6dd6602f22cfa9e.m.pipedream.net",
    "content-length": "1445",
    "user-agent": "GuzzleHttp/7",
    "content-type": "application/json"
  },
  "bodyRaw": "\"{\\\"result\\\":{\\\"cancelled\\\":false,\\\"competingCompanies\\\":1,\\\"companyName\\\":null,\\\"customerName\\\":\\\"Test Customer\\\",\\\"createdAt\\\":\\\"2023-08-15 13:34:29\\\",\\\"email\\\":\\\"test@email.com\\\",\\\"first_name\\\":\\\"Test\\\",\\\"movingDate\\\":\\\"2023-08-29 13:34:29\\\",\\\"phone\\\":\\\"00000111111\\\",\\\"quoteId\\\":\\\"Tes-1692102869\\\",\\\"referralType\\\":\\\"residential\\\",\\\"surname\\\":\\\"Customer\\\",\\\"current_address_line_1\\\":\\\"123 Current St\\\",\\\"current_address_line_2\\\":null,\\\"current_address_line_3\\\":null,\\\"current_address_line_4\\\":null,\\\"current_town\\\":\\\"Current Town\\\",\\\"current_county\\\":\\\"Current County\\\",\\\"current_postcode\\\":\\\"CF11 9HA\\\",\\\"current_bedrooms\\\":\\\"3\\\",\\\"current_size_of_storage_unit\\\":null,\\\"current_lift\\\":null,\\\"current_level\\\":null,\\\"current_type\\\":\\\"house\\\",\\\"current_parking_details\\\":\\\"\\\",\\\"new_address_line_1\\\":\\\"123 New St\\\",\\\"new_address_line_2\\\":null,\\\"new_address_line_3\\\":null,\\\"new_address_line_4\\\":null,\\\"new_town\\\":\\\"New Town\\\",\\\"new_county\\\":\\\"New County\\\",\\\"new_town_only\\\":null,\\\"new_postcode\\\":\\\"CF11 9HB\\\",\\\"new_bedrooms\\\":\\\"3\\\",\\\"new_lift\\\":null,\\\"new_level\\\":null,\\\"new_type\\\":\\\"house\\\",\\\"new_size_of_storage_unit\\\":null,\\\"new_parking_details\\\":\\\"\\\",\\\"flexible_moving_date\\\":false,\\\"packing\\\":[],\\\"additional_information\\\":\\\"Any additional information goes here.\\\"},\\\"timestamp\\\":1692102869,\\\"token\\\":\\\"0832ea27bf25dbee8c32ea7e667aa31e0f76f75cfde91c99f3\\\",\\\"signature\\\":\\\"3f27de39e825af0fcde30ec095a810e3cbf3f0d22e5942b3e6681809ac0e8ed7\\\"}\"",
  "body": "{\"result\":{\"cancelled\":false,\"competingCompanies\":1,\"companyName\":null,\"customerName\":\"Test Customer\",\"createdAt\":\"2023-08-15 13:34:29\",\"email\":\"test@email.com\",\"first_name\":\"Test\",\"movingDate\":\"2023-08-29 13:34:29\",\"phone\":\"00000111111\",\"quoteId\":\"Tes-1692102869\",\"referralType\":\"residential\",\"surname\":\"Customer\",\"current_address_line_1\":\"123 Current St\",\"current_address_line_2\":null,\"current_address_line_3\":null,\"current_address_line_4\":null,\"current_town\":\"Current Town\",\"current_county\":\"Current County\",\"current_postcode\":\"CF11 9HA\",\"current_bedrooms\":\"3\",\"current_size_of_storage_unit\":null,\"current_lift\":null,\"current_level\":null,\"current_type\":\"house\",\"current_parking_details\":\"\",\"new_address_line_1\":\"123 New St\",\"new_address_line_2\":null,\"new_address_line_3\":null,\"new_address_line_4\":null,\"new_town\":\"New Town\",\"new_county\":\"New County\",\"new_town_only\":null,\"new_postcode\":\"CF11 9HB\",\"new_bedrooms\":\"3\",\"new_lift\":null,\"new_level\":null,\"new_type\":\"house\",\"new_size_of_storage_unit\":null,\"new_parking_details\":\"\",\"flexible_moving_date\":false,\"packing\":[],\"additional_information\":\"Any additional information goes here.\"},\"timestamp\":1692102869,\"token\":\"0832ea27bf25dbee8c32ea7e667aa31e0f76f75cfde91c99f3\",\"signature\":\"3f27de39e825af0fcde30ec095a810e3cbf3f0d22e5942b3e6681809ac0e8ed7\"}"
}

the documentation for these webhooks on their site is here:
https://www.comparemymove.com/assets/files/compare-my-move-webhook-docs-removals.pdf

I'm not quite sure where to go from here, I could be wrong with my assumptions however this is my first time attempting to implement webhooks so its proving quite difficult for me. I believe I may have to implement a custom SignatureValidator however I'm really unsure as to how that implementation would work with the results like this.

Any help at all would be greatly appreciated, I'm really stumped on this one.

[CNRP]

I've ended up figuring out the custom signature validator.

Code if anyone has a similar problem:

    public function isValid(Request $request, WebhookConfig $config): bool
    {

        // Decode payload
        $payload = json_decode($request->getContent());
        $payload = json_decode($payload, true);

        Log::debug('Payload', [
        'payload' => $request->getContent(),
        'signature' => $payload['signature']
        ]);

        // Get timestamp, signature, token
        $timestamp = $payload['timestamp'];
        $signature = $payload['signature'];
        $token = $payload['token'];

        // Generate signature
        $data = "{$timestamp}{$token}";

            // Generate hash
        $generatedSignature = hash_hmac('sha256', $data, $config->signingSecret);

        // Compare signatures
        $isValid = hash_equals($generatedSignature, $signature);

        // Log result
        Log::debug('Validation Result', [$isValid]);

        return $isValid;

    }