Are you using the body-parser for Express 4, configured to parse JSON POST requests? i.e:
const bodyParser = require('body-parser')
app.use(bodyParser.json());
Without that Express won’t parse the body of the POST request – which will result in the signature validation failing. The code you’ve provided works for me, too, when body-parser is included with the json parser chosen. you can try it here:
const express = require('express')
const app = express()
const crypto = require('crypto')
const bodyParser = require('body-parser')
app.use(bodyParser.text({type: '*/*'}));
app.post("/webhook", (request, response) => {
const webhookSecret = 'secret';
let hash = crypto.createHmac('md5', webhookSecret).update(request.body).digest('hex');
let success = (request.header('x-patreon-signature') === hash);
console.log('Signature received: ' + request.header('x-patreon-signature'));
console.log('Signature generated: ' + hash);
console.log('Signature validation status: ' + success);
return response.status(success ? 200 : 400).json({result: success});
})
app.listen(process.env.PORT)
Edit: this code was updated on May 31st, 2018, to fix a bug: parsing the input as JSON and then turning it back into a string can cause some encoding issues which will cause signature verification to fail sometimes.