我设置了Typeform webhook,它运行良好。
现在,我试图保护它的安全,但是我被困在Validate payload from Typeform部分中。
我将概述的步骤和Ruby示例(以及Typeform帮助中心发送给我的PHP example)修改为Node(流星):
const crypto = require('crypto');
function post() {
const payload = this.bodyParams;
const stringifiedPayload = JSON.stringify(payload);
const secret = 'the-random-string';
const receivedSignature = lodash.get(request, 'headers.typeform-signature', '');
const hash = crypto
.createHmac('sha256', secret)
.update(stringifiedPayload, 'binary')
.digest('base64');
const actualSignature = `sha256=${hash}`;
console.log('actualSignature:', actualSignature);
console.log('receivedSignature:', receivedSignature);
if (actualSignature !== receivedSignature) {
return { statusCode: 200 };
}
// .. continue ..
});
但是
actualSignature和receivedSignature永远不匹配,我得到如下结果:actualSignature: sha256=4xe1AF0apjIgJNf1jSBG+OFwLYZsKoyFBOzRCesXM0g=
receivedSignature: sha256=b+ZdBUL5KcMAjITxkpzIFibOL1eEtvN84JhF2+schPo=
为什么会这样呢?
最佳答案
您需要使用原始二进制请求,该请求在docs here中指定
使用HMAC SHA-256算法创建哈希(使用created_token
(作为密钥)整个接收到的有效载荷(二进制)。
这是一个使用express和body-parser中间件的示例
const crypto = require('crypto');
const express = require("express");
const bodyParser = require('body-parser');
const TYPEFORM_SECRET = 'your-secret';
const app = express();
const port = 3000;
app.use(bodyParser.raw({ type: 'application/json' }));
app.post(`/webhook`, (req, res) => {
const expectedSig = req.header('Typeform-Signature');
const hash = crypto.createHmac('sha256', TYPEFORM_SECRET)
.update(req.body)
.digest('base64');
const actualSig = `sha256=${hash}`;
if (actualSig !== expectedSig) {
// invalid request
res.status(403).send();
return;
}
// successful
res.status(200).send();
});
app.listen(port, () => {
console.log(`listening on port ${port}!`);
});
关于javascript - 验证Node中的TypeForm Webhook有效负载,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/56149652/