Help with HMAC security filter
I'm using Xano to accept two webhook calls that require the request body to be encoded using HMAC with a secure key and SHA256 digest mode, then match that to a signature in the header to verify the request. My set up in both endpoints is this (different key, otherwise identical):
This works fine for one of the webhooks, but not on the other one. I've verified that I'm using the correct key (shared secret), but I can't match the signature. Does anyone with more experience have any ideas what might be going wrong?
Best Answer
-
I think you're accepting the webhook data as JSON and letting Xano parse it for you into an object, then trying to re-encode as JSON and testing that string. This can cause issues because the original string may not be the twice-translated one. Newlines, spaces and even variable order can change.
If I'm right, you're in good company: this has happened before to others! To address this, in your "get all data" call, choose "text" or raw for the format. Test the signature against that raw text.Then in a separate call, create another variable that parses that JSON, and you can use the data as you will.
Dealing with encryption and signatures is definitely part of the "hardest 5%" that we focus on at State Change in our office hours, 1,000+ recordings and loom-enabled forums.
Answers
-
Hi, can you share the documentation regarding those webhooks?
-
Here's the relevant bit:
And a link: https://docs.crm.activix.ca/api/webhooks
-
As a member myself I highly recommend StateChange and Ray himself!
Categories
- All Categories
- 53 ? Announcements
- 47 ? Releases
- 37 ? Welcome
- 983 ? Help! I'm a Noob
- 125 ? No-Code Front-Ends
- 633 ? Working with APIs
- 439 ? Transforming data
- 126 ? Connect Xano to ...
- 50 ?? Find an Expert
- 348 ❓Other questions
- 35 ? Security
- 22 ✂️ Snippets
- 19 ? Showcase
- 7 ?️ Xano Chatter
- 62 ? Video Tutorials
- 171 ? Request a feature
- 229 ? Report a Bug
- 19 ? Templates & Extensions
- 7 ? Feedback