我设置了Typeform webhook,它运行良好。

现在,我试图保护它的安全,但是我被困在Validate payload from Typeform部分中。

我将概述的步骤和Ruby示例(以及Typeform帮助中心发送给我的PHP example)修改为Node(流星):

const crypto = require('crypto');

function post() {
  const payload = this.bodyParams;
  const stringifiedPayload = JSON.stringify(payload);

  const secret = 'the-random-string';

  const receivedSignature = lodash.get(request, 'headers.typeform-signature', '');

  const hash = crypto
    .createHmac('sha256', secret)
    .update(stringifiedPayload, 'binary')
    .digest('base64');
  const actualSignature = `sha256=${hash}`;

  console.log('actualSignature:', actualSignature);
  console.log('receivedSignature:', receivedSignature);

  if (actualSignature !== receivedSignature) {
    return { statusCode: 200 };
  }

  // .. continue ..
});


但是actualSignaturereceivedSignature永远不匹配,我得到如下结果:

actualSignature: sha256=4xe1AF0apjIgJNf1jSBG+OFwLYZsKoyFBOzRCesXM0g=
receivedSignature: sha256=b+ZdBUL5KcMAjITxkpzIFibOL1eEtvN84JhF2+schPo=


为什么会这样呢?

最佳答案

您需要使用原始二进制请求,该请求在docs here中指定


  使用HMAC SHA-256算法创建哈希(使用created_token
  (作为密钥)整个接收到的有效载荷(二进制)。


这是一个使用express和body-parser中间件的示例

const crypto = require('crypto');
const express = require("express");
const bodyParser = require('body-parser');

const TYPEFORM_SECRET = 'your-secret';

const app = express();
const port = 3000;

app.use(bodyParser.raw({ type: 'application/json' }));

app.post(`/webhook`, (req, res) => {
  const expectedSig = req.header('Typeform-Signature');

  const hash = crypto.createHmac('sha256', TYPEFORM_SECRET)
    .update(req.body)
    .digest('base64');

  const actualSig = `sha256=${hash}`;

  if (actualSig !== expectedSig) {
    // invalid request
    res.status(403).send();
    return;
  }

  // successful

  res.status(200).send();
});

app.listen(port, () => {
  console.log(`listening on port ${port}!`);
});

关于javascript - 验证Node中的TypeForm Webhook有效负载,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/56149652/

10-10 22:51