2

I'm trying to implement an authentication middleware in php for the webhook callback of azures speech to text api.

I would like to make use of the X-MicrosoftSpeechServices-Signature header for this. The docs state, that this is the sha256 encrypted value of the payload with the secret as its key.

Let's say the webhook sends back a request like:

{  
   "self":"https:\/\/southcentralus.api.cognitive.microsoft.com\/speechtotext\/v3.0\/transcriptions\/be783fbc-2836-480b-b678-76363dc0d0a7",
   "invocationId":"d00d3f00-2122-4c81-b5e6-1ce026805e7d"
}

And the header is like (the secret was: aBdneoSDSDjw34dfsd2)

"x-microsoftspeechservices-signature":"zsPn2yNhsx9XYABxSqCtNHh3bnCMFL4zGTsdUhGjAGw="

So, according to the docs, I could encrypt the payload in sha256 with my secret and should get the same signature, right?

$secret= "aBdneoSDSDjw34dfsd2"; 
$sig =   $request->header("X-MicrosoftSpeechServices-Signature");
$data = json_encode($request->getContent());
$sign =  hash_hmac(
        'sha256',
        $data ,
        $secret,
        true //use binary necessary??
);
dd($sig, $sign);

Unfortunately, the values do not match. Since the signature looks like it's base64 encoded additionally, I tried that also:

dd($sig, base64_encode($sign ));

And at least the character length is the same, but it's still no match. What am I missing here?

Chris
  • 4,238
  • 4
  • 28
  • 49

1 Answers1

1

I got it to work with the following python snippet:

hmac_key = '1234567890'

# In case of 'x-microsoftspeechservices-event': 'TranscriptionCompletion'
if (event.get('body')):
    hmac_digest = hmac.new(hmac_key.encode(), event['body'].encode(), digestmod=hashlib.sha256).digest()
    b64dig = base64.b64encode(hmac_digest).decode()
# In case of 'x-microsoftspeechservices-event': 'Challenge'
elif (event.get('queryStringParameters')):
    hmac_digest = hmac.new(hmac_key.encode(), event['queryStringParameters']['validationToken'].encode(), digestmod=hashlib.sha256).digest()
    b64dig = base64.b64encode(hmac_digest).decode()
else:
    b64dig = ""

print (b64dig)
print (event['headers']['x-microsoftspeechservices-signature'])

if b64dig == event['headers']['x-microsoftspeechservices-signature']:
    print ('valid')
else:
    print ('invalid')
Chris
  • 51
  • 3
  • Thanks a lot! The doc was really lacking on this. Good to know we need to 1) b64encode 2) digest the validationToken for the challenge event. – Bruno Degomme Jan 30 '23 at 16:00