Webhook signature with php

[aurelienpiquet]

Hello, i can't get a way to get the same hash as you.

What is the "YOUR_APPLICATION_SECRET" ? I tryied with Client ID, Client Secret, Private App Access Code.

Your documentation specifies code in Ruby:
encoded_body = Base64.encode64(json_body) # assuming json_body comes from the request
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), YOUR_APPLICATION_SECRET, encoded_body)

Here is my code with php:

        $signature = $request->headers->get('X-Content-Signature');
        $data = chunk_split(base64_encode($request->getContent()), 60, "\n");
        $secret = 'YOUR_APPLICATION_SECRET'; 
        $hash = hash_hmac('sha1', $data, $secret);
       hash_equals($hash, $signature); // false

And still when i compare the hash and your signature, it's never equal.

[Azdaroth]

hi @aurelienpiquet , the YOUR_APPLICATION_SECRET is what you referred as Client Secret.

One potential reason why you might be getting an invalid result is the implementation of base 64. Not sure what it is exactly in your case but in Ruby, there are 2 implementations: https://ruby-doc.org/stdlib-2.5.3/libdoc/base64/rdoc/Base64.html i.e. encode64 and strict_encode64. They handle differently CR and LF. Would be a good idea to validate on your side if you use the same implementation.

[aurelienpiquet]

Hi @Azdaroth,

I use base64_encode which is the same as Base64.encode64 in ruby. Then i chunk the string every 60 characters and add "\n" and at the end of the string as your documentation specified.

Here is an example of the encoding:

[Azdaroth]

@aurelienpiquet what does $request->getContent() exactly return? Is it a pure JSON or is it some different object? As this is the only thing that comes my mind, I've just double checked the implementation of the signature an it hasn't changed, it's exactly what the documentation states.

[aurelienpiquet]

@Azdaroth it retrieves body as json string. It can be expended with \n or minified depending on the method i apply on the request body. But i tryed both way, and not a good result on my side ! Do you have another way for webhook validation ?

[Azdaroth]

@aurelienpiquet That's unfortunately the only way. Not sure what else to suggest, as we've never had this kind of issues before, I think the only way to move on would be to skip validation. Not a good move in terms of security, but there is no alternative.