WooCommerce的SHA256 webhook签名从不验证 [英] SHA256 webhook signature from WooCommerce never verifies

问题描述

我从一个woocommerce网站接收webhooks到一个nodejs / express应用程序。我试图验证webhook的签名以证明真实性，但是我计算的散列从来不符合woocommerce在钩子签名头中报告的签名。

这里是代码我用来验证真实性：

 函数verifySignature（signature，payload，key）{
 var computedSignature = crypto .createHmac（sha256，key）.update（payload）.digest（'base64'）; 
 debug（'计算签名：％s'，computedSignature）; 
 return computedSignature ===签名; 
} 
  

使用以下参数调用此函数：

  var signature = req.headers ['x-wc-webhook-signature']; 
 verifySignature（签名，JSON.stringify（req.body），config.wooCommence.accounts.api [config.env] .webhookSecret）
  

webhook的签名头部将签名报告为 BewIV / zZMbmuJkHaUwaQxjX8yR6jRktPZQN9j2 + 67Oo = 。但是，上述操作的结果是 S34YqftH1R8F4uH4Ya2BSM1rn0H9NiqEA2Nr7W1CWZs =

我手动配置了webhook上的秘密，正如你在上面的代码中看到的那样，这个秘密也在快速应用中被硬编码。因此，无论我是否使用错误的有效载荷来计算签名，或者有其他可疑的事情阻止我验证这些签名。

希望有任何指导可以帮助我解决这个问题。

解决方案

对于使用节点的人来说，这应该是个诀窍。

  var processWebHookSignature = function（secret，body，signature）{
 signatureComputed = crypto.createHmac（'SHA256'，secret）.update（
 new Buffer （JSON.stringify（body），'utf8'））。digest（'base64'）; 
 
返回（signatureComputed ===签名）？真假; 
} 
  

I am receiving webhooks from a woocommerce site into a nodejs/express application. I am trying to verify the webhook's signature to prove authenticity, yet the hash I compute never corresponds to the signature that woocommerce reports in the hook's signature header.

Here is the code I am using to verify the authenticity:

function verifySignature(signature, payload, key){     
    var computedSignature = crypto.createHmac("sha256", key).update(payload).digest('base64');
    debug('computed signature: %s', computedSignature);
    return computedSignature === signature;
  }

This function is being called with the following parameters:

var signature = req.headers['x-wc-webhook-signature'];
verifySignature(signature, JSON.stringify(req.body), config.wooCommence.accounts.api[config.env].webhookSecret)

The webhook's signature headers reports the signature as BewIV/zZMbmuJkHaUwaQxjX8yR6jRktPZQN9j2+67Oo=. The result of the above operation, however, is S34YqftH1R8F4uH4Ya2BSM1rn0H9NiqEA2Nr7W1CWZs=

I have manually configured the secret on the webhook, and as you see in the code above, this same secret is also hardcoded in the express application. So either I am taking the wrong payload to compute the signature, or there is something else fishy that prevents me from verifying these signature.

Would appreciate any pointers to help me solve this issue.

解决方案

For people using node, this should do the trick.

var processWebHookSignature = function (secret, body, signature) {
  signatureComputed = crypto.createHmac('SHA256', secret).update(
    new Buffer(JSON.stringify(body), 'utf8')).digest('base64');

  return ( signatureComputed === signature ) ? true : false;
}

这篇关于WooCommerce的SHA256 webhook签名从不验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！