SHA256 webhook signature from WooCommerce never verifies

后端未结

关注

 6  861

再見小時候 2021-01-02 23:47

I am receiving webhooks from a woocommerce site into a nodejs/express application. I am trying to verify the webhook\'s signature to prove authenticity, yet the hash I compu

6条回答

孤城傲影 (楼主)

2021-01-03 00:24

Hash must be calculated over the 'raw body'. When used in an 'express application' and using JSON bodyParser middleware 'raw body' is lost, see How to access the raw body of the request before bodyparser? to hold-on to the 'raw body'.

For example:

// 'misuse' verify option  
app.use(bodyParser.json({
  verify: function(req,res,buf) { 
    req.rawBody=buf; 
  }
}));

var wcSignature = req.get('X-Wc-Webhook-Signature');
debug('wc signature: %s', wcSignature);
var calculatedSignature = crypto.createHmac('SHA256', secret)
  .update(req.rawBody, 'utf8')
  .digest('base64');
debug('calculated signature: %s', calculatedSignature);

0 讨论(0)

查看其它6个回答