HMAC签名与github的x-hub-signature不匹配 [英] HMAC Signature doesn't match x-hub-signature from github
问题描述
我正在处理来自github的传入Webhook,并想验证x-hub-signature.我正在使用 hmac
哈希秘密",然后比较两个哈希.问题在于它们永远不匹配.这是我的设置:
I'm handling an incoming Webhook from github, and wants to verify the x-hub-signature. I'm using hmac
to hash the "secret", and then compares the two hashes. The problem is that they never match. This is my setup:
router.route("/auth")
.post((req, res) => {
var hmac = crypto.createHmac("sha1", process.env.WEBHOOK_SECRET);
var calculatedSignature = "sha1=" + hmac.update(JSON.stringify(req.body)).digest("hex");
console.log(req.headers["x-hub-signature"] === calculatedSignature); // Returns false
console.log(req.headers["x-hub-signature"]) // => sha1=blablabla
console.log(calculatedSignature) // => sha1=foofoofoo
res.end();
});
我已经尝试了所有方法,但无法使其正常工作.想知道 hmac.update()
是否应包含 JSON.stringify(req.body)
以外的另一个参数.有谁知道为什么他们不匹配?
I've tried everything, but can't make it work. Wondering if the hmac.update()
should hold another parameter than JSON.stringify(req.body)
. Does anyone know why they won't match?
推荐答案
如果webhook内容类型设置为 application/x-www-url-encoded
,则需要使用字符串检查HMAC是"payload =" + query_encoded_payload
.
If the webhook Content-Type is set to application/x-www-url-encoded
then string you need to use to check the HMAC is
"payload=" + query_encoded_payload
.
例如在golang中
payloadForm := r.PostFormValue("payload")
escaped := url.QueryEscape(payloadForm) # ex. http://www.url-encode-decode.com/
checkMe := "payload=" + escaped
这篇关于HMAC签名与github的x-hub-signature不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!