使用HMAC SHA256和base64对请求体进行编码

Question

使用HMAC SHA256和base64对请求体进行编码

4

如何使用HMAC sha 256和base64编码请求主体。

我从Xero Webhook接收的请求对象。

HEADER:
   "x-xero-signature" : HASH_VALUE
PAYLOAD:
  {
     "events": [],
     "lastEventSequence": 0,
     "firstEventSequence": 0,
     "entropy": "S0m3r4Nd0mt3xt"
  }

来自 Xero 文档的说明称：“如果使用 HMACSHA256 用您的 Webhook 签名密钥对有效载荷进行哈希处理并进行 base64 编码，则应该与标头中的签名相匹配。这是正确签名的有效载荷。如果签名与哈希载荷不匹配，则为不正确签名的有效载荷。”

我遵循了这个例子：https://devblog.xero.com/using-xero-webhooks-with-node-express-hapi-examples-7c607b423379。

const express = require("express");
const router = express.Router();
const base64 = require('base-64');
const crypto = require('crypto')
const bodyParser = require('body-parser')
const xero_webhook_key = '00fRRlJBYiYN4ZGjmTtG+g/pulyb1Eru68YYL3PFoLsa78dadfQtGrOMuISuVBHxpXeEYo0Yy1Gc+hHMhDkSI/EEcgtrA==';

let options = {
    type: 'application/json'
  };
let itrBodyParser = bodyParser.raw(options);

router.post("/", itrBodyParser, async (req, res, next) =>{
//     console.log('::::WebhookPost:::');
const reSign = req.headers['x-xero-signature'];
 console.log(req.headers['x-xero-signature']);
 console.log('::::::::');
 console.log(req.body);
    console.log("Body: "+JSON.stringify(req.body))
    console.log(req.body.toString());
    console.log("Xero Signature: "+ reSign);
    console.log('Server key::::',xero_webhook_key);
    // Create our HMAC hash of the body, using our webhooks key
    let hmac = crypto.createHmac("sha256", xero_webhook_key).update(req.body.toString()).digest('base64');
    console.log("Resp Signature: ",hmac)

    if (req.headers['x-xero-signature'] == hmac) {
        res.statusCode = 200
    } else {
        res.statusCode = 401
    }
    console.log("Response Code: "+res.statusCode)
    return res.send();
 

});

- UJ India

2个回答

2

我使用了这个解决方案！我正在使用express框架，但请求未作为原始请求发送。同时，根据xero的文档，.toString也没有起作用。

 const server = http.createServer(async (req, resp) => {
  try {
      console.log(`::::Webhook::: ${webhookPort}`);
      console.log("::::x-xero-signature:::");
      console.log(req.headers["x-xero-signature"]);
      console.log(`--------------------------------------`);
      if (req.method === "POST") {
        if(req.headers["x-xero-signature"]){
          const rData = await new Promise((resolve, reject) => {
            return collectRequestData(req, (result) => {
                
                console.log(result);
                let hmac = crypto
                  .createHmac("sha256", xero_webhook_key)
                  .update(result)
                  .digest("base64");
                  console.log("Resp Signature: ", hmac);
                 
               
                return resolve({
                  hmac,result
                });
              });
          });
           console.log(">>Resp Signature: ", rData);
           console.log('>>x-xero-signature:::',req.headers["x-xero-signature"]);
           if(rData.result){
             const result = JSON.parse(rData.result);
             console.log('result:::',result);
             for(let { resourceId } of result.events) {
              console.log('::INVOICE ID = ',resourceId);
                getInvoiceData(resourceId);
             }
           }

           if(rData.hmac == req.headers["x-xero-signature"] ){
            console.log('::YES');
              resp.statusCode = 200;
          }else{
            console.log('::NO');
            resp.statusCode = 401;
          }
        }
        resp.end();
      }

        console.log("::::Webhookgetsssss:::");
        resp.message = 'Get API'
        resp.end();
     
  } catch (error) {
    resp.statusCode = 200;
    resp.end();
  }
      
     
  });
  server.listen(webhookPort);

function collectRequestData(request, callback) {
    let body = "";
    request.on("data", (chunk) => {
      body += chunk.toString();
    });
    request.on("end", () => {
      callback(body);
    });
  }

- Ujjual

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Rett Behrens · Accepted Answer

嘿，最近我在实现使用Xero的webhooks的视频，如果这个视频能帮到您，请告诉我。我发现尝试在路由上通过itrBodyParser传递方式并不能让我成功，所以我将其与特定的webhooks端点上的app.use语句进行了切换。如果您更喜欢书面指南而不是视频，这里是博客文章