Answered

secret in webhook.


I have added a secret, while creating a webhook for a form. now in the callback API, m fetching Authorization in the header as the secret value. But I am not getting the secret. How will we get the secret in the callback.

icon

Best answer by picsoung 20 March 2021, 00:18

View original

17 replies

Userlevel 7
Badge +5

Hi @ankit - thanks for stopping by! Are you trying to validate the signature in the webhook payload and that’s failing? If so, would you mind sending the call you’re making? 

For some context, here are the instructions for validating the payload!

Hi, m following the same steps mentioned in the doc to validate the signature:
https://developer.typeform.com/webhooks/secure-your-webhooks/

 

But, I am not getting the same signature, which I am getting in Request Header of the callback.

Can you please let me know what I have missed here?
1. Using the payload, getting in callback Request body, as plain text for HMAC SHA-256.

  1. Using the secret, which we have saved in the Create Webhook API, as the Key.
  2. Did Base64 of the hash.
  3. added “sha256=” in the output.
  4. But this is not the same signature, I am getting in the Request Header in the callback API.

Hi @Liz , My first question was to check the field name in the header, in which we are getting signature. But later, I got to know that “Typeform-Signature” field is there in the Request Header.

Now, the value, I am getting in “Typeform-Signature” is not the same value, m creating using HMAC SHA-256. Can you please help me with that?

Hi @Liz , if you can help me with some sample payload, secret, the signature value, which we will get in the “Typeform-Signature”, and then generating the signature, using the same payload and secret.

That will be helpful. Because right now, it’s not working for me with HMAC sha-256.

Userlevel 7
Badge +5

Hi @ankit You can see an example of the payload here. Would you mind sending the exact call you’re making so I can see what’s causing the issue? :grinning:  

Userlevel 7
Badge +5

Hey @ankit 

Could you tell us which programming language you use?

Here is an example that works in Node with express

const express = require("express");
const app = express();
const crypto = require('crypto')
app.use(express.raw({ type: 'application/json' }));

app.post('/webhook', async (request, response) => {
console.log('~> webhook received');

// security check, let's make sure request comes from typeform
const signature = request.headers['typeform-signature']
const isValid = verifySignature(signature, request.body.toString());
if (!isValid) {
throw new Error('Webhook signature is not valid, someone is faking this!');
}

// send 200 status back, and notify typeform 👌
response.sendStatus(200)

const { event_type, form_response } = JSON.parse(request.body);

// filter response events only
if (event_type === 'form_response') {
// LOGIC goes here
}
});


// function to verify request signature
const verifySignature = function(receivedSignature, payload){
const hash = crypto
.createHmac('sha256', webhookSecret)
.update(payload)
.digest('base64')
return receivedSignature === `sha256=${hash}`
}

I am working on Java. To create the signature, Typeform support had shared one link, m using that one, but the signatures are different.

Sharing the link for your reference.

https://www.codepile.net/pile/w4AzpW6L

 

I have also shared sample payload, and the code m using to create signature over email to Nordin (Typeform Support).

Userlevel 1

The correct answer for this can be found here:

https://stackoverflow.com/questions/61248861/unable-to-get-typeform-webhook-signature-with-c-sharp-to-work is the last answer

Please update your docs instead of 
request.body.toString() → should be `${JSON.stringify(request.body)}\u000a`

 

At the end of the body you need to add a new line character at the end of the body as string in order for this to work.

I spent way too long on this problem only to find the docs are wrong. Thanks Houzy, but please Typeform devs, fix your docs.

Userlevel 7
Badge +5

Hi @Adept Thanks for stopping by. Can you clarify what isn’t correct in our documentation? Thanks. 

The correct answer for this can be found here:

https://stackoverflow.com/questions/61248861/unable-to-get-typeform-webhook-signature-with-c-sharp-to-work is the last answer

Please update your docs instead of 
request.body.toString() → should be `${JSON.stringify(request.body)}\u000a`

 

At the end of the body you need to add a new line character at the end of the body as string in order for this to work.

You are the saviour. Typeform Devs Please update the docs otherwise it will create a big issue sooner or later. @Liz  
Link Here: https://developer.typeform.com/webhooks/secure-your-webhooks/

The correct answer for this can be found here:

https://stackoverflow.com/questions/61248861/unable-to-get-typeform-webhook-signature-with-c-sharp-to-work is the last answer

Please update your docs instead of 
request.body.toString() → should be `${JSON.stringify(request.body)}\u000a`

 

At the end of the body you need to add a new line character at the end of the body as string in order for this to work.

You are the saviour. Typeform Devs Please update the docs otherwise it will create a big issue sooner or later. @Liz  
Link Here: https://developer.typeform.com/webhooks/secure-your-webhooks/

 

I also could get it working...1h later than expected!
Only worked by using `${JSON.stringify(request.body)}\u000a` instead of request.body.toString()

Docs should definetely be fixed!

+1 on updating the docs. 

For my NodeJS backend (using Firebase Functions), the following worked for me:

const isValid = verifySignature(signature, `${JSON.stringify(req.body)}\n`);

Note the newline character at the end of the stringified body. 

Badge

Hey, just stopping by to say I was banging my head against the wall with this same problem until I found this thread.

 

The documentation at 
https://www.typeform.com/developers/webhooks/secure-your-webhooks/
for Node with Express does not work! 

Really, someone should update it!

Userlevel 7
Badge +5

Hi @ChompyThePenguin Happy little Friday! Thanks for stopping by. Do you mind sharing what specifically isn’t working? Are you receiving any error messages? Thanks in advance!

Badge

On that documentation page (https://www.typeform.com/developers/webhooks/secure-your-webhooks/), the Node with Express example shows 

request.body.toString()

on the fifth line.

As people said above, it should be

`${JSON.stringify(request.body)}\n`

Thanks, as always for your time and help, Liz!

Userlevel 7
Badge +5

Thanks, @ChompyThePenguin ! Let me ask someone who works with the documentation and get back to you. 

Reply