Webhook signature verification not implemented

[prj]

Seems like the signature verification is not implemented for webhooks.
Only the json deserialization.

Would be useful if you did implement it, because everyone has to implement it themselves otherwise.

[prj]

Here is my implementation, which is in production now, maybe useful for someone else in the future:

@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
	log.info("Received webhook from kevin...");
	
	String payload = IOUtils.toString(req.getInputStream(), req.getCharacterEncoding());

	String kevinTimestamp = req.getHeader("X-Kevin-Timestamp");
	String kevinSignature = req.getHeader("X-Kevin-Signature");
	
	String forSignature = "POST" + vehicalProperties.getKevinWebhookUrl() + kevinTimestamp + payload;
	
	Mac sha256_HMAC = null;
	try {
		sha256_HMAC = Mac.getInstance("HmacSHA256");
		SecretKeySpec secret_key = new SecretKeySpec(vehicalProperties.getKevinEndpointSecret().getBytes("UTF-8"), "HmacSHA256");
		sha256_HMAC.init(secret_key);
	} catch (Exception e) {
		log.log(Level.SEVERE, "Error initializing HMAC algorithm.", e);
		resp.setStatus(400);
		return;
	}
	
	String computedSignature = Hex.encodeHexString(sha256_HMAC.doFinal(forSignature.getBytes("UTF-8")));
	
	if (!kevinSignature.equals(computedSignature)) {
		log.severe("Webhook signature verification failed.");
		resp.setStatus(400);
		return;
	}
	
	Parser parser = new Parser();
	PaymentWebhookPayload parsedHook = parser.parsePaymentWebhookRequest(payload);
	
	...

}