0

I have configured a webhook, when event occur in application the url is called but i m not getting any data in call.

enter image description here

According to its documentation

enter image description here For added security, webhooks sent to OAuth-authorised applications are signed so they can be verified as originating from Vend and unaltered in transit. A hash-based message authentication code is used for the signature. If the webhook request contains a header as below, the application can verify the request.

X-Signature: signature=897hRT893qkA783M093ha903f,algorithm=HMAC-SHA256

To do this, generate a signature by hashing the webhook request body and compare it to the signature in the header for an exact match. Use the algorithm specified in the header and your application’s client_secret as the hash key.

Reference - https://docs.vendhq.com/tutorials/guides/webhooks/introduction

I have keys, but i am not sure how to generate a signature by hashing the webhook request body ?

Any thoughts ?

Thankyou

  • I am not sure what the document means & what needs to be done to get data. –  Dec 31 '20 at 10:41
  • I have checked the docs, and my conclusion is that there is missing data in them. At least, the have to tell you how to generate the hash (which library are they using). Maybe is https://github.com/entronad/crypto-es#HMAC, but not sure. On the other hand, if they are not able to ensure that they are going to send the WebHook, I will not use it. – Sourcerer Dec 31 '20 at 12:50

2 Answers2

0

Ok contacted Vend about this and have solved it:

First of all, this only works when you create the webhook via an Oauth authorised app. And use your own client_secret to send the X-Signature to Vend with the webhook creation request with curl, like this:

$token = 'Authorization: Bearer ' . get_option('vend_token');
$client_secret = get_option("client_secret"); 

curl_setopt($curl, CURLOPT_HTTPHEADER, array(
        'X-Signature: signature='.$client_secret.',algorithm=HMAC-SHA256',
        'Content-Type: application/x-www-form-urlencoded', $token ));

then, in the callback function:

    function receive_webhook_callback( $request_data){
    $data = $request_data->get_body();

    $client_secret = get_option("client_secret");

    $signaturehash = hash_hmac('sha256', $data, $client_secret, false);

    $signature = "signature=".$signaturehash.", algorithm=HMAC-SHA256";

    error_log('signature:');
    error_log($signature); 
    
    $sig_header = $_SERVER['HTTP_X_SIGNATURE'];
    
    error_log('header-signature:');
    error_log($sig_header);
    
    if($signature === $sig_header) {
    
    error_log("signatures match!!");

    }
    }
Mik Efford
  • 1
  • 1
0

Looking at the example X-Signature header, it provides the algorithm:

X-Signature: signature=897hRT893qkA783M093ha903f,algorithm=HMAC-SHA256

From PHP: How can I generate a HmacSHA256 signature of a string:

Use hash_hmac:

$sig = hash_hmac('sha256', $string, $secret)

Where $secret is your key.

Where $string would be the webhook body.

minstack
  • 16