Manual Webhook Signature Verification Always Fails
Completed
Using .NET Framework 4.7 MVC API
When receiving a webhook event from Box to my API, I get all the required information in the header. I am receiving the payload in the body as a Newtonsoft JObject.
I am attempting to use the same code from the SDK (https://github.com/box/box-windows-sdk-v2/blob/main/Box.V2/Managers/BoxWebhooksManager.cs ) to manually verify the signature. However, I am always getting a return of "false" (line 146 from GitHub). Neither of the has values computed ever match what is sent in the header.
Side Note: when converting the payload to a string using the JObject.ToString() method, I get two different hashes calculated based on whether I use JObject.ToString() or the JObject.ToString(Formatting.None) methods. Either way, neither of those two strings give me a matching hash.
// Convert the body of the request into bytes
var bodyBytes = Encoding.UTF8.GetBytes(body.ToString());
var bodyBytes_Format_None = Encoding.UTF8.GetBytes(body.ToString(Formatting.None));
// Add the box time stamp to the they byte array
var allBytes = bodyBytes.Concat(Encoding.UTF8.GetBytes(headers["box-delivery-timestamp"])).ToArray();
var allBytes_Format_None = bodyBytes_Format_None.Concat(Encoding.UTF8.GetBytes(headers["box-delivery-timestamp"])).ToArray();
-
Official comment
Hello,
An issue of this nature will require further investigation by our support team. I see you've already opened a ticket, so someone should be in touch shortly to further troubleshoot!
Best,
Kourtney, Box Developer Advocate
Comment actions
Please sign in to leave a comment.
Comments
1 comment