Sendgrid-php: verifySignature() from EventWebhook not working

Created on 23 Oct 2020  路  5Comments  路  Source: sendgrid/sendgrid-php

Issue Summary

So we were trying to implement a Signed Event Webhook Request for our Sendgrid events webhook using the EventWebhook class, and while it seems to work fine with the mocked datasets in the EventWebhookTest class, it doesn't with real requests X-Twilio-... headers and contents.

See code snippet to see what our code looks like.

I think the publicKey is correct, I've tried to add a \r\n after the requestContent too but it does not help.

Steps to Reproduce

  1. Use real headers and content sent by Sendgrid to an event webhook.
  2. Call verifySignature() method.

Code Snippet

        $eventWebhook = new EventWebhook();
        $ecPublicKey = $eventWebhook->convertPublicKeyToECDSA($this->publicKey);

        $valid = $eventWebhook->verifySignature(
            $ecPublicKey,
            $requestContent,
            $signature,
            $timestamp
        );

        if (false === $valid) {
            $this->logger->error('Sendgrid authentication has failed on event webhook');
        }

Exception/Log

None, just verifySignature() returning false.

Technical details:

  • sendgrid-php version: 7.8.5
  • php version: 7.4
waiting for feedback question

Most helpful comment

Hope that helps someone. To test your code to verify your signature:

  • Make sure to use a NOT formatted JSON into your HTTP client (we copied at first the one with carriage returns and tabs), it needs to be raw (no \n \t or spaces)
  • If you are using Laravel your payload will be like: $payload = $request->getContent() . "\r\n";
  • If you use webhook.site to test your webhook, uncheck Format JSON and Word-Wrap on the right side of your screen before you copy the body.

All 5 comments

Hi @Lharz

The "test data" used for testing actually come from a live/production Event Webhook request. Can you provide additional code examples from how you're processing the incoming request to get to the final $requestContent that gets passed to the verifySignature function?

Closing until additional code samples are provided. Please reopen if more help is needed.

Hope that helps someone. To test your code to verify your signature:

  • Make sure to use a NOT formatted JSON into your HTTP client (we copied at first the one with carriage returns and tabs), it needs to be raw (no \n \t or spaces)
  • If you are using Laravel your payload will be like: $payload = $request->getContent() . "\r\n";
  • If you use webhook.site to test your webhook, uncheck Format JSON and Word-Wrap on the right side of your screen before you copy the body.

Hope that helps someone. To test your code to verify your signature:

* Make sure to use a NOT formatted JSON into your HTTP client (we copied at first the one with carriage returns and tabs), it needs to be raw (no \n \t or spaces)

* If you are using Laravel your payload will be like: `$payload = $request->getContent() . "\r\n";`

* If you use webhook.site to test your webhook, uncheck  _Format JSON_ and _Word-Wrap_ on the right side of your screen before you copy the body.

Thank you @tquiroga. Your message really was helpful and it worked for us

@tquiroga Saved my sanity my friend. Cheers.

Now to get this working in unit tests. plods back to the salt mines...

Was this page helpful?
0 / 5 - 0 ratings

Related issues

elshafey picture elshafey  路  4Comments

morazain picture morazain  路  3Comments

FilipLukac picture FilipLukac  路  4Comments

buddyy93 picture buddyy93  路  5Comments

micahwalter picture micahwalter  路  3Comments