WooCommerce Webhooks Auth (secret & signature) - how to use
The signature needs to be checked against the body and not the JSON it contains. i.e. the raw bytes of the req.body.
Modify the bodyParser
first:
const rawBodySaver = (req, res, buf, encoding) => { if (buf && buf.length) { req.rawBody = buf.toString(encoding || 'utf8'); }};app.use(bodyParser.json({ verify: rawBodySaver }));app.use(bodyParser.urlencoded({ verify: rawBodySaver, extended: true }));app.use(bodyParser.raw({ verify: rawBodySaver, type: '*/*' }));
and then, using crypto (it is distributed with node you don't need to npm install
anything.)
import crypto from 'crypto'; //Let's try with built-in crypto lib instead of cryptoJSrouter.post('/', function (req, res) { const secret = 'ciPV6gjCbu&efdgbhfgj&¤"#&¤GDA'; const signature = req.header("X-WC-Webhook-Signature"); const hash = crypto.createHmac('SHA256', secret).update(req.rawBody).digest('base64'); if(hash === signature){ res.send('match'); } else { res.send("no match"); }});
I hope below will save someone some time.
// Make sure to add a WISTIA_SECRET_KEY in your Environment Variables// See https://docs.pipedream.com/environment-variables/const secret = process.env.SELF_AUTOMATE_KEY;const signature = event.headers["x-wc-webhook-signature"];const body = steps.trigger.raw_event["body_b64"];const clean_Body = body.replace("body_b64: ", "");//const body = steps.trigger.raw_event;console.log(event.headers["x-wc-webhook-signature"]);console.log("Print Body", clean_Body);if (process.env.SELF_AUTOMATE_KEY === undefined) { $end("No WISTIA_SECRET_KEY environment variable defined. Exiting.")}if (!("x-wc-webhook-signature" in event.headers)) { $end("No x-wc-webhook-signature header present in the request. Exiting.")}// Once we've confirmed we have a signature, we want to // validate it by generating an HMAC SHA-256 hexdigestconst crypto = require('crypto');const hash = crypto.createHmac('sha256', secret).update(JSON.stringify(clean_Body), 'base64').digest('base64');console.log(hash);// $end() ends the execution of a pipeline, presenting a nice message in the "Messages"// column in the inspector above. See https://docs.pipedream.com/notebook/code/#endif (hash !== signature) { $end("The correct secret key was not passed in the event. Exiting!")}