Verifying Webhook 2 signature hash Hmac Sha256
I am trying to verify the signature of the webhook 2 call Im using java but it doesnt appear to be working. Here is my code
String secret = "Hidden for post";
String message = bodyOfRequest;
Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
sha256_HMAC.init(secret_key);
String hash = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));
logger.info(String.format("Primiary signature: %s from hash: %s", boxSigPrimary, hash));
if (!hash.equals(boxSigPrimary)){
logger.info("hash doesnt match");
}
However the hash never matches what am I doing wrong?
-
I think you need to hash the `box-delivery-timestamp` as well as the message body.
Here is some sample JavaScript code that works:
let hmac = crypto.createHmac('sha256', signatureKey); hmac.update(event.body); hmac.update(event.headers['box-delivery-timestamp']); const signature = hmac.digest('base64');The details are at https://docs.box.com/reference#signatures
Good luck!
-
The official box java sdk have a helper class (BoxWebHookSignatureVerifier.java) to verify webhook signatures. You can look at the tests for basic usage.
サインインしてコメントを残してください。
コメント
2件のコメント