BigCommerce Webhook中的哈希字段是什么? [英] What is hash field in the BigCommerce webhook?
问题描述
它是如何产生的?我如何验证它?
How it generate? How I can validate it?
https://developer.bigcommerce.com/api/webhooks-getting-started
{
"store_id": 11111,
"producer": "stores/abcde",
"scope": "store/order/statusUpdated",
"data": {
"type": "order",
"id": 173331
},
"hash": "3f9ea420af83450d7ef9f78b08c8af25b2213637"
}
推荐答案
@KarenWhite回答了此问题,他们是该线程的开发人员. https://support.bigcommerce. com/s/question/0D51B00004G6kJf/incoming-webhook-posts-hash-field-in-payload
This was answered by @KarenWhite, their developer evangelist in this thread. https://support.bigcommerce.com/s/question/0D51B00004G6kJf/incoming-webhook-posts-hash-field-in-payload
它使用SHA-1进行了哈希处理,但未使用客户机密进行签名:
It is hashed with SHA-1, but it is not signed with the client secret:
$payload['hash'] = sha1(json_encode($payload));
此外,有关Webhook安全的立场已记录在2018年的市政厅中 https://support.bigcommerce.com/s/article/BigCommerce-Town-Hall-February-2018
Additionally, the stance on webhook security is documented in the 2018 townhall https://support.bigcommerce.com/s/article/BigCommerce-Town-Hall-February-2018
问.如何确保Webhook回调仅由BigCommerce发起,并且数据在BigCommerce和我的服务器端点之间没有更改? Webhook有效负载中返回的哈希可以用于验证请求吗?
Q. How can I make sure that a webhook callback is initiated by BigCommerce only, and that the data is not altered between BigCommerce and my server endpoint? Can the hash returned in the webhook payload be used to verify the request?
A .今天,我们的网络钩子包含的信息很少-它们仅包含ID.去查找其他信息.您需要获得授权才能验证ID.根据商店的API确定所请求的实际信息.我们还通过TLS加密保护了Webhooks,并使开发人员能够将自己的标头添加到事件中,以提高安全性.
A. Our webhooks today contain very little information -- they only contain an I.D. to go look up additional information. You would need to be authorized to verify that I.D. against the store’s API to determine the actual information being requested. We also secure our webhooks with TLS encryption, and enable developers to add their own headers to events for additional security.
这篇关于BigCommerce Webhook中的哈希字段是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
