保护Typeform Webhook Python

时间:2019-11-30 07:14:45

标签: python django python-3.x django-rest-framework typeform

我正尝试使用Python / Django / DRF接受来自Typeform的表单响应,由于无法获取匹配的哈希值,因此无法验证webhook请求。

这是Typeform中的说明:

1. Using the HMAC SHA-256 algorithm, create a hash (using created_token as a key) of the entire received payload as binary.
2. Encode the binary hash in base64 format.
3. Add prefix sha256= to the binary hash.
4. Compare the created value with the signature you received in the Typeform-Signature header from Typeform.

authentication.py

class TypeformAuthentication(authentication.BaseAuthentication):
    def authenticate(self, request):
        typeform_signature = request.META.get('HTTP_TYPEFORM_SIGNATURE')
        data = request.body
        secret_key = os.environ.get('TYPEFORM_SECRET_KEY')

        if not typeform_signature:
            return None

        if typeform_signature:
            hash = hmac.new(bytes(secret_key, encoding='utf-8'), data, hashlib.sha256)
            actual_signature = 'sha256={}'.format(base64.b64encode(hash.digest()).decode())
            user = User.objects.get(username='typeform-user')
            if actual_signature == typeform_signature:
                 return(user, None)
            else:
                raise exceptions.AuthenticationFailed('Typeform signature does not match.')
        else:
            return None

有效负载示例

{
  "event_id": "01DTXE27VQSA3JP8ZMP0GF9HCP",
  "event_type": "form_response",
  "form_response": {
    "form_id": "OOMZur",
    "token": "01DTXE27VQSA3JP8ZMP0GF9HCP",
    "landed_at": "2019-11-30T05:55:46Z",
    "submitted_at": "2019-11-30T05:55:46Z",
    "definition": {
      "id": "OOMZur",
      "title": "Auto Liability (New Company)",
      "fields": [
        {
          "id": "GnpcIrevGZQP",
          "title": "What is your business name?",
          "type": "short_text",
          "ref": "3e60e064-f14c-4787-9968-0358e8f34468",
          "properties": {}
        }
      ]
    },
    "answers": [
      {
        "type": "text",
        "text": "Lorem ipsum dolor",
        "field": {
          "id": "GnpcIrevGZQP",
          "type": "short_text",
          "ref": "3e60e064-f14c-4787-9968-0358e8f34468"
        }
      }
    ]
  }
}

类型生成的哈希值

sha256=jdzKuFkijyBIMvmGyveHfcfzcNXUeQCuveNGP6CEdXk=

authentication.py生成的哈希

sha256=at4SsBIi2IXJ8vr1Ix3tHW7iK9q5KQfx20EBa+l9wKU=

1 个答案:

答案 0 :(得分:1)

我能够做到这一点。以防万一有人在验证Webook时遇到麻烦。我找到并修改了该指南。

https://simpleisbetterthancomplex.com/tutorial/2016/10/31/how-to-handle-github-webhooks-using-django.html

不是在身份验证内部处理它。我改为使用视图来处理它。

/home