I have added a secret, while creating a webhook for a form. now in the callback API, m fetching Authorization in the header as the secret value. But I am not getting the secret. How will we get the secret in the callback.
Answered
secret in webhook.
Best answer by picsoung
Hey
Could you tell us which programming language you use?
Here is an example that works in Node with express
const express = require("express");
const app = express();
const crypto = require('crypto')
app.use(express.raw({ type: 'application/json' }));
app.post('/webhook', async (request, response) => {
console.log('~> webhook received');
// security check, let's make sure request comes from typeform
const signature = request.headers['typeform-signature']
const isValid = verifySignature(signature, request.body.toString());
if (!isValid) {
throw new Error('Webhook signature is not valid, someone is faking this!');
}
// send 200 status back, and notify typeform 👌
response.sendStatus(200)
const { event_type, form_response } = JSON.parse(request.body);
// filter response events only
if (event_type === 'form_response') {
// LOGIC goes here
}
});
// function to verify request signature
const verifySignature = function(receivedSignature, payload){
const hash = crypto
.createHmac('sha256', webhookSecret)
.update(payload)
.digest('base64')
return receivedSignature === `sha256=${hash}`
}
+5Hi
For some context, here are the instructions for validating the payload!
Hi, m following the same steps mentioned in the doc to validate the signature:
https://developer.typeform.com/webhooks/secure-your-webhooks/
But, I am not getting the same signature, which I am getting in Request Header of the callback.
Can you please let me know what I have missed here?
1. Using the payload, getting in callback Request body, as plain text for HMAC SHA-256.
- Using the secret, which we have saved in the Create Webhook API, as the Key.
- Did Base64 of the hash.
- added “sha256=” in the output.
- But this is not the same signature, I am getting in the Request Header in the callback API.
Hi
Now, the value, I am getting in “Typeform-Signature” is not the same value, m creating using HMAC SHA-256. Can you please help me with that?
Hi
That will be helpful. Because right now, it’s not working for me with HMAC sha-256.
+5
+5Hey
Could you tell us which programming language you use?
Here is an example that works in Node with express
const express = require("express");
const app = express();
const crypto = require('crypto')
app.use(express.raw({ type: 'application/json' }));
app.post('/webhook', async (request, response) => {
console.log('~> webhook received');
// security check, let's make sure request comes from typeform
const signature = request.headers['typeform-signature']
const isValid = verifySignature(signature, request.body.toString());
if (!isValid) {
throw new Error('Webhook signature is not valid, someone is faking this!');
}
// send 200 status back, and notify typeform 👌
response.sendStatus(200)
const { event_type, form_response } = JSON.parse(request.body);
// filter response events only
if (event_type === 'form_response') {
// LOGIC goes here
}
});
// function to verify request signature
const verifySignature = function(receivedSignature, payload){
const hash = crypto
.createHmac('sha256', webhookSecret)
.update(payload)
.digest('base64')
return receivedSignature === `sha256=${hash}`
}I am working on Java. To create the signature, Typeform support had shared one link, m using that one, but the signatures are different.
Sharing the link for your reference.
https://www.codepile.net/pile/w4AzpW6L
I have also shared sample payload, and the code m using to create signature over email to Nordin (Typeform Support).
The correct answer for this can be found here:
https://stackoverflow.com/questions/61248861/unable-to-get-typeform-webhook-signature-with-c-sharp-to-work is the last answer
Please update your docs instead of
request.body.toString() → should be `${JSON.stringify(request.body)}\u000a`
At the end of the body you need to add a new line character at the end of the body as string in order for this to work.
I spent way too long on this problem only to find the docs are wrong. Thanks Houzy, but please Typeform devs, fix your docs.
1 person likes this
+5Hi
Houzy wrote:
The correct answer for this can be found here:
https://stackoverflow.com/questions/61248861/unable-to-get-typeform-webhook-signature-with-c-sharp-to-work is the last answer
Please update your docs instead of
request.body.toString() → should be `${JSON.stringify(request.body)}\u000a`
At the end of the body you need to add a new line character at the end of the body as string in order for this to work.
You are the saviour. Typeform Devs Please update the docs otherwise it will create a big issue sooner or later.
Link Here: https://developer.typeform.com/webhooks/secure-your-webhooks/
1 person likes this
aghosh0605 wrote:
Houzy wrote:
The correct answer for this can be found here:
https://stackoverflow.com/questions/61248861/unable-to-get-typeform-webhook-signature-with-c-sharp-to-work is the last answer
Please update your docs instead of
request.body.toString() → should be `${JSON.stringify(request.body)}\u000a`
At the end of the body you need to add a new line character at the end of the body as string in order for this to work.
You are the saviour. Typeform Devs Please update the docs otherwise it will create a big issue sooner or later.
Link Here: https://developer.typeform.com/webhooks/secure-your-webhooks/
I also could get it working...1h later than expected!
Only worked by using `${JSON.stringify(request.body)}\u000a` instead of request.body.toString()
Docs should definetely be fixed!
+1 on updating the docs.
For my NodeJS backend (using Firebase Functions), the following worked for me:
const isValid = verifySignature(signature, `${JSON.stringify(req.body)}\n`);Note the newline character at the end of the stringified body.
Hey, just stopping by to say I was banging my head against the wall with this same problem until I found this thread.
The documentation at
https://www.typeform.com/developers/webhooks/secure-your-webhooks/
for Node with Express does not work!
Really, someone should update it!
+5Hi
On that documentation page (https://www.typeform.com/developers/webhooks/secure-your-webhooks/), the Node with Express example shows
request.body.toString()
on the fifth line.
As people said above, it should be
`${JSON.stringify(request.body)}\n`
Thanks, as always for your time and help, Liz!
+5Thanks,
ChompyThePenguin wrote:
On that documentation page (https://www.typeform.com/developers/webhooks/secure-your-webhooks/), the Node with Express example shows
request.body.toString()
on the fifth line.
As people said above, it should be
`${JSON.stringify(request.body)}\n`
Thanks, as always for your time and help, Liz!
THANK YOU!!!
1 person likes this
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.