我设置了一个Typeform webhook,它运行良好。
现在,我正在尝试保护它的安全,但是我陷入了Validate payload from Typeform部分。
我将概述的步骤和Ruby示例(以及Typeform帮助中心发送给我的PHP example)修改为Node(流星):
const crypto = require('crypto');
function post() {
const payload = this.bodyParams;
const stringifiedPayload = JSON.stringify(payload);
const secret = 'the-random-string';
const receivedSignature = lodash.get(request, 'headers.typeform-signature', '');
const hash = crypto
.createHmac('sha256', secret)
.update(stringifiedPayload, 'binary')
.digest('base64');
const actualSignature = `sha256=${hash}`;
console.log('actualSignature:', actualSignature);
console.log('receivedSignature:', receivedSignature);
if (actualSignature !== receivedSignature) {
return { statusCode: 200 };
}
// .. continue ..
});
但是actualSignature和receivedSignature永远不匹配,我得到如下结果:
actualSignature: sha256=4xe1AF0apjIgJNf1jSBG+OFwLYZsKoyFBOzRCesXM0g=
receivedSignature: sha256=b+ZdBUL5KcMAjITxkpzIFibOL1eEtvN84JhF2+schPo=
为什么会这样?
答案 0 :(得分:0)
您需要使用原始二进制请求,该请求在文档here
中指定使用HMAC SHA-256算法创建哈希(使用created_token 作为密钥),以二进制形式接收整个有效载荷。
这是一个使用express和body-parser中间件的示例
const crypto = require('crypto');
const express = require("express");
const bodyParser = require('body-parser');
const TYPEFORM_SECRET = 'your-secret';
const app = express();
const port = 3000;
app.use(bodyParser.raw({ type: 'application/json' }));
app.post(`/webhook`, (req, res) => {
const expectedSig = req.header('Typeform-Signature');
const hash = crypto.createHmac('sha256', TYPEFORM_SECRET)
.update(req.body)
.digest('base64');
const actualSig = `sha256=${hash}`;
if (actualSig !== expectedSig) {
// invalid request
res.status(403).send();
return;
}
// successful
res.status(200).send();
});
app.listen(port, () => {
console.log(`listening on port ${port}!`);
});