package hyperswitch

import (
	"crypto/hmac"
	"crypto/sha512"
	"encoding/hex"
	"errors"
)

// VerifyWebhookSignature verifies the Hyperswitch webhook signature.
// Uses HMAC-SHA512 with the payload and secret (payment_response_hash_key).
// Header: x-webhook-signature-512
func VerifyWebhookSignature(payload []byte, signatureHeader, secret string) error {
	if secret == "" {
		return errors.New("webhook secret not configured")
	}
	if signatureHeader == "" {
		return errors.New("missing x-webhook-signature-512 header")
	}
	mac := hmac.New(sha512.New, []byte(secret))
	mac.Write(payload)
	expected := hex.EncodeToString(mac.Sum(nil))
	if !hmac.Equal([]byte(signatureHeader), []byte(expected)) {
		return errors.New("invalid webhook signature")
	}
	return nil
}