0

I am currently working on integrating WhatsApp into my project, and I'm facing an issue with matching the calculated and provided hash values. When receiving WhatsApp messages that contain special characters and emojis, the calculatedHash and providedHash values do not match.

I have implemented a verification process using the following code:

TypeScript Code

const signatureHeader = req.headers['x-hub-signature-256'];
const message = req.body;

function verifySignature(signatureHeader: string, appSecret: string, message: string): boolean {
    const sha256Regex = /^sha256=([a-f0-9]{64})$/;
    const match = sha256Regex.exec(signatureHeader);

    if (!match) return false;

    const providedHash = match[1];
    const isVerified = verifyHmacSHA256(appSecret, providedHash, message);

    if (!isVerified) return false;
    return true;
}

function verifyHmacSHA256(appSecret: string, providedHash: string, message: string): boolean {
    const calculatedHash = crypto.createHmac('sha256', appSecret)
        .update(JSON.stringify(message))
        .digest('hex');

    return calculatedHash === providedHash;
}

I suspect that the issue lies in the update(JSON.stringify(message)) line, where the message is being converted to a JSON string before calculating the hash. It seems that special characters and emojis are causing inconsistencies in the hash calculation, leading to a mismatch between the calculatedHash and providedHash.

I would appreciate any guidance on how to handle special characters and emojis in the message while ensuring consistent matching of the hash values. Is there a different approach or encoding method I should use when calculating the hash in order to handle these cases properly?

Despite these efforts, I have not yet found a definitive solution to the inconsistent hash matching. My expectation was to identify the root cause of the issue and find a solution that would handle special characters and emojis properly. I aimed to achieve consistent matching between the calculatedHash and providedHash for all types of WhatsApp messages, regardless of their content.

At this stage, I am seeking further guidance and expertise to overcome this challenge. Any assistance or recommendations on how to handle special characters and emojis while ensuring consistent hash matching would be greatly appreciated.

Amarjeet kumar
  • 1
  • Yes, decoding and then re-encoding the JSON can easily lead to different results, there are many different options on how JSON should handle specific cases, "special" characters, etc. The calculation of such a hash should always be done using the raw, unparsed request body content. – CBroe Jul 06 '23 at 07:40
  • but we are getting an object from the request itself so, we have to stringify it before passing it into our function. – Amarjeet kumar Jul 06 '23 at 08:25
  • Yes, because you let node/express already parse the request body for you. You need to get the raw body, using something like https://stackoverflow.com/a/31976182/1427878 – CBroe Jul 06 '23 at 08:28

0 Answers0