package androidsmsgateway

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
)

// VerifySignature verifies the HMAC-SHA256 signature of a webhook payload.
// The message is payload concatenated with timestamp (the X-Timestamp header value).
// The signature is the hex-encoded HMAC-SHA256 of that message using secretKey.
func VerifySignature(secretKey, payload, timestamp, signature string) bool {
	message := payload + timestamp
	mac := hmac.New(sha256.New, []byte(secretKey))
	mac.Write([]byte(message))
	expected := hex.EncodeToString(mac.Sum(nil))
	return hmac.Equal([]byte(expected), []byte(signature))
}