Code examples for webhook authentication

[kueben]

Hi, I am currently using the following to verify the X_Signature on the requests sent to our webhooks endpoint, however it is failing. I feel the documentation is not super clear on it, for instance does 'complete event payload' mean the payload part of the json object, or does it mean the full body of the request? Below is the code I am attempting to use at the moment however it is failing. If you could provide some example code or point out what I am doing wrong that would be great.

    import hashlib
    import hmac
    import base64
    # secret token as shown on the webhooks section of the dashboard
    key = bytes(ck, 'utf-8')
    
    # body = bytes(json.dumps(json.loads(body.decode())['payload']), 'utf-8')
    message = body # request.body

    digester = hmac.new(key=key, msg=message, digestmod=hashlib.sha3_224)

    signature = digester.digest()

    signature = base64.b64encode(signature).decode()

    return signature

[danny-bos]

Completely agree @kueben, the documentation around this is vague at best. Did you find a solution?

[hjheath]

Hi @kueben and @danny-bos
Thanks for the feedback and I'm sorry our documentation is not clear on this point. I will update the docs to be more explicit.

You should compute the hash using the entire JSON body of the request e.g. with:

{
  "payload": {
    "resource_type": "report",
    "action": "report.completed",
    "object": {
      "id": "12345-23122-32123",
      "status": "completed",
      "completed_at": "2014-05-23 13:50:33 UTC",
      "href": "https://api.onfido.com/v2/checks/12343-11122-09290/reports/12345-23122-32123"
    }
  }
}

[kueben]

Hi thanks for the response, here is how we got it to work:

    def get_signature(dashboard_secret, payload):
        import hashlib
        import hmac
        key = bytes(dashboard_secret, 'utf-8')
        digester = hmac.new(key=key, msg=payload, digestmod=hashlib.sha1)
        signature = digester.hexdigest()
        return signature

[tigren]

For Django

    def post(self, request):
        onfido_signature = request.META['HTTP_X_SIGNATURE']
        signature = hmac.new(settings.ONFIDO_WEBHOOK_TOKEN.encode(), request.body, hashlib.sha1)
        expected_signature = signature.hexdigest()
        if not hmac.compare_digest(onfido_signature, expected_signature):
            return HttpResponseForbidden('Invalid signature header')

        request_body = json.loads(request.body)

[jchannon]

I know this is for C#/ASP.NET Core but this is the issue that I found when googling. There appears to be no .NET samples anywhere so thought I'd add a sample for anyone else that comes across this

        private static async Task<bool> SecurePayload(HttpContext context)
        {
            await PrepareRequestBody(context);

            var header = context.Request.Headers["X-Signature"].ToString();

            var hash = GetHashedPayload("MYSECRET", context.Request.Body);

            context.Request.Body.Seek(0L, SeekOrigin.Begin);

            return header.Equals(hash, StringComparison.Ordinal);
        }

        private static async Task PrepareRequestBody(HttpContext context)
        {
            if (!context.Request.Body.CanSeek)
            {
                context.Request.EnableBuffering();

                await context.Request.Body.DrainAsync(CancellationToken.None);
            }

            // Always start at the beginning.
            context.Request.Body.Seek(0L, SeekOrigin.Begin);
        }

        private static string GetHashedPayload(string secret, Stream message)
        {
            var keyByte = Encoding.ASCII.GetBytes(secret);
            using (var hmacsha1 = new HMACSHA1(keyByte))
            {
                var hashmessage = hmacsha1.ComputeHash(message);

                return hashmessage.Aggregate(string.Empty, (current, t) => current + t.ToString("X2")).ToLower();
            }
        }

[Lechus]

@jchannon Thank you very much.
API v2: use HMACSHA256

[abhyudayasrinet]

Alternative copy/paste function for Flask users:

import hmac
import hashlib
from flask import request

def validate_signature():
    key = bytes(key, 'utf-8')
    expected_signature = hmac.new(key=key, msg=request.data, digestmod=hashlib.sha1).hexdigest()
    incoming_signature = request.headers.get('X-Hub-Signature').split('sha1=')[-1].strip()
    if not hmac.compare_digest(incoming_signature, expected_signature):
        return False
    return True

[tomarv2]

I am trying to setup webhook authentication, tried both the whole event sent from GitHub and just the Body part, nothing is working:

import hmac
import hashlib

GITHUB_SECRET = 'ghp_HELLO_WORLD'

incoming_signature = "123456"  # from X-Hub-Signature-256': 'sha256=123456

data = """{'body': {'action': 'created',
          'comment': {'author_association': 'COLLABORATOR',
                      'body': '[tf plan]',
                      "demo": "...",
                      "demo1": "...",
                     'url': 'https://api.github.com/users/tomarv2'}},
 'headers': {'Accept': '*/*',
             'Host': 'test.tomarv2.com',
             'User-Agent': 'GitHub-Hookshot/XXXX',
             'X-Amzn-Trace-Id': 'Root=1-61',
             'X-Forwarded-For': 'XXXXXX',
             'X-Forwarded-Port': '443',
             'X-Forwarded-Proto': 'https',
             'X-GitHub-Delivery': '503',
             'X-GitHub-Event': 'issue_comment',
             'X-GitHub-Hook-ID': 'XXXXXX',
             'X-GitHub-Hook-Installation-Target-ID': 'XXXXXX',
             'X-GitHub-Hook-Installation-Target-Type': 'repository',
             'X-Hub-Signature': 'sha1=123456',
             'X-Hub-Signature-256': 'sha256=123456',
             'content-type': 'application/json'},
 'stage': 'dev'}
"""


def get_signature(token, githhub_payload):
    signature_bytes = bytes(token, 'utf-8')
    digest = hmac.new(key=signature_bytes, msg=githhub_payload, digestmod=hashlib.sha256)
    return digest.hexdigest()


eval_signature = get_signature(GITHUB_SECRET, data.encode('utf-8'))

print("X-Hub-Signature-256:", incoming_signature)
print("Eval Signature:", eval_signature)
if incoming_signature != eval_signature:
    print('Unauthorized attempt')