HMAC签名与github的x-hub-signature不匹配 [英] HMAC Signature doesn't match x-hub-signature from github
问题描述
我正在处理来自github的传入Webhook,并想验证x-hub-signature.我正在使用 hmac 哈希秘密",然后比较两个哈希.问题在于它们永远不匹配.这是我的设置:
I'm handling an incoming Webhook from github, and wants to verify the x-hub-signature. I'm using hmacto hash the "secret", and then compares the two hashes. The problem is that they never match. This is my setup:
router.route("/auth")
.post((req, res) => {
var hmac = crypto.createHmac("sha1", process.env.WEBHOOK_SECRET);
var calculatedSignature = "sha1=" + hmac.update(JSON.stringify(req.body)).digest("hex");
console.log(req.headers["x-hub-signature"] === calculatedSignature); // Returns false
console.log(req.headers["x-hub-signature"]) // => sha1=blablabla
console.log(calculatedSignature) // => sha1=foofoofoo
res.end();
});
我已经尝试了所有方法,但无法使其正常工作.想知道 hmac.update()是否应包含 JSON.stringify(req.body)以外的另一个参数.有谁知道为什么他们不匹配?
I've tried everything, but can't make it work. Wondering if the hmac.update() should hold another parameter than JSON.stringify(req.body). Does anyone know why they won't match?
推荐答案
如果webhook内容类型设置为 application/x-www-url-encoded ,则需要使用字符串检查HMAC是"payload =" + query_encoded_payload .
If the webhook Content-Type is set to application/x-www-url-encoded then string you need to use to check the HMAC is
"payload=" + query_encoded_payload.
例如在golang中
payloadForm := r.PostFormValue("payload")
escaped := url.QueryEscape(payloadForm) # ex. http://www.url-encode-decode.com/
checkMe := "payload=" + escaped
这篇关于HMAC签名与github的x-hub-signature不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
