All geek questions in one place

Confirm Signature Mandrill X-Mandrill

I am developing a Node.js application and I am struggling to validate the Mandrill Webhook request.

As stated here http://help.mandrill.com/entries/23704122-Authenticating-webhook-requests , this should be something like this in PHP:

/** * Generates a base64-encoded signature for a Mandrill webhook request. * @param string $webhook_key the webhook authentication key * @param string $url the webhook url * @param array $params the request POST parameters */ function generateSignature($webhook_key, $url, $params) { $signed_data = $url; ksort($params); foreach ($params as $key => $value) { $signed_data .= $key; $signed_data .= $value; } return base64_encode(hash_hmac('sha1', $signed_data, $webhook_key, true)); }

So, I came up with this:

 var url = "http://...."; var post = "<POST Data>"; require('crypto').createHmac("SHA1", "<Webhook Signature Key>").update(url+post).digest("base64");

Unfortunately this does not work. I get a different signature.

POST data is received using urlencoded, for example:

 mandrill_events=%5B%7B%22event%22%3A%22inbound ...

Urldecoded:

 mandrill_events=[{"event":"inbound ...

The Mandrill document states that the delimiter should not be included, so this is the line I'm using (without = ):

 mandrill_events[{"event":"inbound ...

Any ideas on this?

PS: I double-checked the URL and Webhook key :-).

+4
source share
2 answers

Use the URL ( config.url in the example) and the key ( config.key ) that appears in https://mandrillapp.com/settings/webhooks for this specific website.

In addition to the answer above, you need to make sure that slashes are reset with a single backslash.

 // mandrillEventsParamVal - how you get that depends on your request processor chain var paramValEscaped = mandrillEventsParamVal.replace(/\//g, '\\\/'); var input = config.url + 'mandrill_events' + paramValEscaped; var check = crypto.createHmac('sha1', config.key).update(input, 'utf8', 'binary').digest('base64');

A line called check is what you check against the "X-Mandrill-Signature" header.

+3
source

The problem arises from the input data format. You must execute a key / value pair, for example:

var data = URL; for (var key in POST_DATA) data + = key + POST_DATA [key];

And now you can check if base64 (sha1 (data, mkey)) matches the signature.

+1
source

Source: https://habr.com/ru/post/1486865/

More articles:


All Articles