How to Validate a Xero webhook payload with HMACSHA256 Node js

Question

I need to validate Xero webhook in my node js project. This is Xero documentation steps to validate: https://developer.xero.com/documentation/webhooks/creating-webhooks#STATUS

var crypto = require("crypto")
function getHmacSha256(message, secret) {
        return crypto.createHmac("sha256", secret).update(message).digest("base64")
}

// webhookPayload and signature get from webhook body and header
const webhookPayload = {
  events: [],
  firstEventSequence: 0,
  lastEventSequence: 0,
  entropy: 'OSHPXTUSXASRFBBCJFEN'
}
const signature = "OXLaeyZanKI5QDnLkXIVB35XrZygYsPMeK8WfoXUMU8="


const myKey = "1y5VYfv7WbimUQIMXiQCB6W6TKIp+5ZZJNjn3Fsa/veK5X/C8BZ4yzvPkmr7LvuL+yfKwm4imnfAB5tEoJfc4A=="

var hash = getHmacSha256(JSON.stringify(webhookPayload), myKey)

//If the payload is hashed using HMACSHA256 with your webhook signing key and base64 encoded, it should match the signature in the header.

if (signature === hash) {
     return res.status(200).end()
}else{
     return res.status(401).end() 
}

Every time my signature and hash are different so it returns with 401 every time. So I failed to complete Intent to receive

Answer 1

From what you're describing, my guess is you are unintentionally modifying the request body. You need to accept the raw request body from the webhook event without modification. If this body is modified at all, your code will fail to verify the signature and will fail Xero’s “Intent to receive” validation. Check out this blog post for details.