I'm trying to accept form responses from Typeform using Python/Django/DRF and am having trouble authenticating the webhook request due to not being able to get the hashes to match.
Here are the instructions from Typeform:
1. Using the HMAC SHA-256 algorithm, create a hash (using created_token as a key) of the entire received payload as binary.
2. Encode the binary hash in base64 format.
3. Add prefix sha256= to the binary hash.
4. Compare the created value with the signature you received in the Typeform-Signature header from Typeform.authentication.py
class TypeformAuthentication(authentication.BaseAuthentication):
def authenticate(self, request):
typeform_signature = request.META.get('HTTP_TYPEFORM_SIGNATURE')
data = request.body
secret_key = os.environ.get('TYPEFORM_SECRET_KEY')
if not typeform_signature:
return None
if typeform_signature:
hash = hmac.new(bytes(secret_key, encoding='utf-8'), data, hashlib.sha256)
actual_signature = 'sha256={}'.format(base64.b64encode(hash.digest()).decode())
user = User.objects.get(username='typeform-user')
if actual_signature == typeform_signature:
return(user, None)
else:
raise exceptions.AuthenticationFailed('Typeform signature does not match.')
else:
return NoneExample payload
{
"event_id": "01DTXE27VQSA3JP8ZMP0GF9HCP",
"event_type": "form_response",
"form_response": {
"form_id": "OOMZur",
"token": "01DTXE27VQSA3JP8ZMP0GF9HCP",
"landed_at": "2019-11-30T05:55:46Z",
"submitted_at": "2019-11-30T05:55:46Z",
"definition": {
"id": "OOMZur",
"title": "Auto Liability (New Company)",
"fields": [
{
"id": "GnpcIrevGZQP",
"title": "What is your business name?",
"type": "short_text",
"ref": "3e60e064-f14c-4787-9968-0358e8f34468",
"properties": {}
}
]
},
"answers": [
{
"type": "text",
"text": "Lorem ipsum dolor",
"field": {
"id": "GnpcIrevGZQP",
"type": "short_text",
"ref": "3e60e064-f14c-4787-9968-0358e8f34468"
}
}
]
}
}Typeform Generated Hash
sha256=jdzKuFkijyBIMvmGyveHfcfzcNXUeQCuveNGP6CEdXk=
authentication.py Generated Hash
