Webhooks => X-Signature & Secret matching

Hi,

We can’t manage to match the X-Signature on our side.

Here is our method :

[HttpPost]
[Route(“settings/refresh”)]
public async Task RefreshSettingsAsync([FromHeader(Name = “X-Signature”)] string XSignature) {

        if (!XSignature.IsNotEmpty())
            return BadRequest("X-Signature missing");

        using (var reader = new StreamReader(Request.Body))
        {
            var body = reader.ReadToEnd();
            string hashedSecret = (AppSettings.Value.Data.AppSecretKey + body).Sha256Base64();
            if (hashedSecret != XSignature)
            {
                return BadRequest("Secrets are not matching");
            }
        }

        applicationLifetime.StopApplication();

        return Ok("App was restarted...");
    }

wich always returns hashedSecret != XSignature

How is computed the has on your side ?

Do you confirm : Base64(Sha256(RequestBody + Secret)) ?

Any help ?

I’m submitting a…

[ ] Regression (a behavior that stopped working in a new release)
[ x] Bug report
[ ] Performance issue
[ ] Documentation issue or request

Current behavior

Expected behavior

Minimal reproduction of the problem

Environment

  • [ ] Self hosted with version docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [x ] Cloud version

Browser:

  • [ ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Others:

What I see is that you changed the order of the secret and the body.

This is my implementation:

Can you share your Sha256Base64 method ?

My method is exactly the same as yours. I even made a test with a copy from your code. I still have different hashs…
That’s weird !

One thing that was definitely different is:

(AppSettings.Value.Data.AppSecretKey + body).Sha256Base64()

vs

$"{requestBody}{action.SharedSecret}".Sha256Base64(),

so hash and body are concatenated in different orders.

Solved !
String + string !== $(string string)
Good to know.

Really? Is it not the order that is the problem? Have you tested

(body + AppSettings.Value.Data.AppSecretKey).Sha256Base64()