Code Room
CodingMediumcod-g990
Subject SecurityLevel Mid–Senior~20 minCommon in Security interviewsIndustries Software development

Question

Implement HMAC verification for a webhook receiver. Given a shared secret `key`, the received `message`, and the `signature_hex` the sender claims is the HMAC-SHA256 of the message, return True only if the signature is valid. Compute the HMAC using the secret as the key and verify it matches the provided hex digest. You must compare in a way that does not leak timing information about how many leading bytes matched.

Implement
verify_hmac(key: str, message: str, signature_hex: str) → bool
Examples
in["secret","hello","88aab3ede8d3adf94d26ab90d3bafd4a2083070c3bcce9c014ee04a443847c0b"]outtrue
What a strong answer looks like

State your approach and its time/space complexity out loud before you optimize. Handle the edge cases (empty input, duplicates, overflow), and say why you chose this over the brute force. Green tests are the floor, not the grade.

Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.

Run or narrate your approach, then ask the coach.