Node: HMAC Signature doesn't match x-hub-signature from github
I'm handling an incoming Webhook from github, and wants to verify the x-hub-signature. I'm using hmacto hash the "secret", and then compares the two hashes. The problem is that they never match. This is my setup:
router.route("/auth")
.post((req, res) => {
var hmac = crypto.createHmac("sha1", process.env.WEBHOOK_SECRET);
var calculatedSignature = "sha1=" + hmac.update(JSON.stringify(req.body)).digest("hex");
console.log(req.headers["x-hub-signature"] === calculatedSignature); // Returns false
console.log(req.headers["x-hub-signature"]) // => sha1=blablabla
console.log(calculatedSignature) // => sha1=foofoofoo
res.end();
});
I've tried everything, but can't make it work. Wondering if the hmac.update() should hold another parameter than JSON.stringify(req.body). Does anyone know why they won't match?
jesperlandmer
All 4 comments
Can you post support questions to https://github.com/nodejs/help/issues? Thanks.
bnoordhuis
on 14 Mar 2017
@jesperlandmer did you ever solve this? I'm facing exactly the same issue.. it worked at one point but then it kept failing
dannyk08
on 28 Jan 2018
@dannyk08 So the problem was with the settings of the webhook. The content-format was set to application/x-www-form-urlencoded, which for some reason hashed the x-hub-signature differently. I just changed it to application/json, and then it worked!
jesperlandmer
on 28 Jan 2018
thank you so much @jesperlandmer ! I've scratched my head over this for the last 3 days
dannyk08
on 29 Jan 2018
Related issues
vsemozhetbyt
路
3Comments
ksushilmaurya
路
3Comments
sandeepks1
路
3Comments
srl295
路
3Comments
jmichae3
路
3Comments
Most helpful comment
@dannyk08 So the problem was with the settings of the webhook. The content-format was set to application/x-www-form-urlencoded, which for some reason hashed the x-hub-signature differently. I just changed it to application/json, and then it worked!