验证 Node 中的 TypeForm Webhook 负载 [英] Validate TypeForm Webhook payload in Node

问题描述

我设置了一个 Typeform webhook运作良好.

I set up a Typeform webhook and it's working well.

现在我正在尝试保护它，但我被困在 验证来自 Typeform 的有效载荷 部分.

Now I'm trying to secure it, but I'm stuck in the Validate payload from Typeform section.

我改编了概述的步骤和 Ruby 示例(以及 Typeform 帮助中心发送给我的 PHP 示例)以节点(流星):

I adapted the outlined steps and the Ruby example (and a PHP example that Typeform Helpcenter sent me) to Node (Meteor):

const crypto = require('crypto');

function post() {
  const payload = this.bodyParams;
  const stringifiedPayload = JSON.stringify(payload);

  const secret = 'the-random-string';

  const receivedSignature = lodash.get(request, 'headers.typeform-signature', '');

  const hash = crypto
    .createHmac('sha256', secret)
    .update(stringifiedPayload, 'binary')
    .digest('base64');
  const actualSignature = `sha256=${hash}`;

  console.log('actualSignature:', actualSignature);
  console.log('receivedSignature:', receivedSignature);

  if (actualSignature !== receivedSignature) {
    return { statusCode: 200 };
  }

  // .. continue ..
});

但是 actualSignature 和 receivedSignature 从不匹配，我得到如下结果:

But the actualSignature and receivedSignature never match, I get results like:

actualSignature: sha256=4xe1AF0apjIgJNf1jSBG+OFwLYZsKoyFBOzRCesXM0g=
receivedSignature: sha256=b+ZdBUL5KcMAjITxkpzIFibOL1eEtvN84JhF2+schPo=

为什么会这样?

推荐答案

您需要使用原始二进制请求，它在文档 这里

You need to use the raw binary request, it is specified in the docs here

使用 HMAC SHA-256 算法，创建一个哈希(使用 created_token作为密钥)的整个接收到的有效载荷的二进制.

Using the HMAC SHA-256 algorithm, create a hash (using created_token as a key) of the entire received payload as binary.

这是一个使用 express 和 body-parser 中间件的示例

Here is an example using express and the body-parser middleware

const crypto = require('crypto');
const express = require("express");
const bodyParser = require('body-parser');

const TYPEFORM_SECRET = 'your-secret';

const app = express();
const port = 3000;

app.use(bodyParser.raw({ type: 'application/json' }));

app.post(`/webhook`, (req, res) => {
  const expectedSig = req.header('Typeform-Signature');

  const hash = crypto.createHmac('sha256', TYPEFORM_SECRET)
    .update(req.body)
    .digest('base64');

  const actualSig = `sha256=${hash}`;

  if (actualSig !== expectedSig) {
    // invalid request
    res.status(403).send();
    return;
  }

  // successful

  res.status(200).send();
});

app.listen(port, () => {
  console.log(`listening on port ${port}!`);
});

这篇关于验证 Node 中的 TypeForm Webhook 负载的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！