Skip to main content
Answered

Webhook secret Authentication issue


I was creating a webhook for typeform in Ruby on Rails and it is working fine. I was trying to add authentication using the secret by following https://developer.typeform.com/webhooks/secure-your-webhooks/ . I tried using exactly the same code given in the documentation but still the received and actual signatures are different. I tried verifying the payload & secret by converting it SHA-256 in an online encryptor and there the hash produced is same as what i get when doing the encryption in the code. the authorization token passed in the typeform request header is wrong. Can someone help me here.

 

Best answer by Nordin

Hello there,

This is Nordin from Tech support. Nice to be back for a bit in our lovely community.

I’m not a Ruby specialist and maybe you have a problem in your code, but before you go mad with that let me tell you that 95% of the webhook security encryption issues that are escalated to us are caused by testing with the wrong payload. 

In order for the script to work properly, regardless of the language you are using, you need to make sure you pass a real request->body to the algo instead of copying and pasting it from anywhere and storing it in a variable. 

That won’t work, believe me, when I joined Typeform I spent about 3 days modifying my 12 line script until I found out it was because I was using the wrong payload. :joy:  You can use something like Ngrok or Serveo to send it to you. dev environment and I believe in most of the cases that will sort it out. 

View original

Liz
Community Team
Forum|alt.badge.img+5
  • Tech Community Advocate
  • July 19, 2021

Hi @aswinvb Thanks for stopping by the community! Happy Monday. :grinning: Do you mind sharing the code and setup you’re using? That’ll help me see better what’s happening. Thanks!


  • Explorer
  • July 19, 2021

Hi @Liz, I created the secret token using ruby -rsecurerandom -e 'puts SecureRandom.hex(20)' and added it in the webhook configuration.

Following is the code that I added in our server:

    def authenticate_typeform
      request.body.rewind
      payload_body = request.body.read
      verify_signature(request.env['HTTP_TYPEFORM_SIGNATURE'], payload_body)
    end

    def verify_signature(received_signature, payload_body)
      hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), GlobalConstant.typeform.secret, payload_body)
      actual_signature = 'sha256=' + Base64.strict_encode64(hash)
      render json: { message: 'Authentication Error' }, status: :bad_request and
        return unless Rack::Utils.secure_compare(actual_signature, received_signature)
    end

Thanks!

 


Liz
Community Team
Forum|alt.badge.img+5
  • Tech Community Advocate
  • July 19, 2021

Hi @aswinvb Since I’m not super familiar with Ruby, I’ve reached out to my colleagues to ask for some help! I’ll paste their responses here once I hear back. :) 


  • Explorer
  • July 19, 2021

Thanks for the response @Liz 


Nordin
Typeform
Forum|alt.badge.img+3
  • Typeform
  • July 20, 2021

Hello there,

This is Nordin from Tech support. Nice to be back for a bit in our lovely community.

I’m not a Ruby specialist and maybe you have a problem in your code, but before you go mad with that let me tell you that 95% of the webhook security encryption issues that are escalated to us are caused by testing with the wrong payload. 

In order for the script to work properly, regardless of the language you are using, you need to make sure you pass a real request->body to the algo instead of copying and pasting it from anywhere and storing it in a variable. 

That won’t work, believe me, when I joined Typeform I spent about 3 days modifying my 12 line script until I found out it was because I was using the wrong payload. :joy:  You can use something like Ngrok or Serveo to send it to you. dev environment and I believe in most of the cases that will sort it out. 


  • Explorer
  • July 21, 2021

Thanks @Nordin, issue was what you said. When i tried directly by giving the endpoint in Typeform it is working. 

Thank you so much!


Liz
Community Team
Forum|alt.badge.img+5
  • Tech Community Advocate
  • July 21, 2021

Yay! Glad that worked, @aswinvb . Thanks @Nordin for the help! :smiley:


Reply