Problem with verify the X-TAIGA-WEBHOOK-SIGNATURE in nodejs

Troubleshooting
1

Hi guys,
I’m developing a webhook for Taiga integrations, but when I receive the payload and try to generate the hmac hash, the X-TAIGA-WEBHOOK-SIGNATURE and my generated hash don’t match.

const key = ‘mi key’;
const signature = req.headers[‘X-TAIGA-WEBHOOK-SIGNATURE’];
const body = JSON.stringify(req.body);

const hmac = crypto.createHmac(‘sha1’, key);
hmac.update(body);

const calculatedSignature = hmac.digest(‘hex’);
if (signature === calculatedSignature){
console.log(‘Exito’);
} else {
console.log(‘Signature invalida’);
}

Any idea because it does not generate the same hash as X-TAIGA-WEBHOOK-SIGNATURE?

Regards.

2

@ajmarmar, could req.body already be a string? Try with

const hmac = crypto.createHmac(‘sha1’, key);
hmac.update(req.body);
4

Hi,
Thanks for your quick reply, I did tests as if were a string or JSON object but the result is not the same as x-taiga-webbook-signature.

5

Well, this is what documentation say about the signature verification of a webhook, so it should work as we expected. I’ll try to create a complete example to test it in javascript (with a node server) and improve the documentation.

1 Like
6

Hi,

I also tried with a python script, but that didn’t work either.

Regards

7

It could be because you have to encode the data to utf8. Maybe with utf8 - npm.

8

Hi

We use encode utf8.

Could you give us an example of a body, key and signature that works for you so we can test it?

Regards.

9

This is my example in python

  1. Create the webhook and send a test messsage:
    image
    image1888×490 63 KB

    image
    image1133×833 127 KB
  2. Show the received message in the test server
    image
    image1893×567 123 KB
  3. And verify the signature.
    image
    image1885×839 114 KB

The code to verify the signature

In [14]: import hmac

In [15]: import hashlib

In [16]: def verify_signature(key, data):
    ...:     mac = hmac.new(key.encode("utf-8"), msg=data.encode("utf8"), digestmod=hashlib.sha1)
    ...:     return mac.hexdigest()
    ...: 

In [17]: signature = '01587d7bdfee8892efed7f19d7712d1ae37955f7'

In [18]: body = '{"action": "test", "type": "test", "by": {"id": 9, "permalink": "https://tree.taiga.io/profile/bameda", "use
    ...: rname": "bameda", "full_name": "David Barragán Merino", "photo": "https://media-protected.taiga.io/user/3/d/b/1/0b3c
    ...: cc2d04bbfcc50f33323c39cce79b1386dfafd442a16d7650e9bd314f/bameda_avatar_400x400.png.80x80_q85_crop.png?token=ZLZjLw%3
    ...: A_xfhG7oJl0s7p-a5TWWLVwsBCGEFgs_STcR3KxxmEuLeYlPTfgAPrmNc1_PeB8oHd-9Kl7otMD0hgYZQNPtzoQ", "gravatar_id": "ca3f184c1e
    ...: 11414128d75b06509535bf"}, "date": "2023-07-18T10:02:23.863Z", "data": {"test": "test"}}'

In [19]: key = 'very_secret'

In [20]: verify_signature(key, body)
Out[20]: '01587d7bdfee8892efed7f19d7712d1ae37955f7'

In [21]: verify_signature(key, body) == signature
Out[21]: True

I hope this can help

10

Hi,
Thank you, I’ll do a few tests and I’ll comment on them.

Regards.

11

Hi,

I did test and I can do the check fine. My problem was that the json I received didn’t have the format as you sent me, the atributes and values are separated by a space, while I obtein a json string without spaces.

Other hand, the payload that Taiga show is not the same (in order of attributes and format) that you received in “webhook.site”.

Regards.

12

oh!, we’ll check this behavior. Thanks.