Question 185493 in Facebook API Question posted in
The official documentation for the Facebook APIs can be found here.

Facebook api – How to validate payload for facebook whatsapp webhook in AWS Lambda?

I am trying to validate facebook’s webhook payload using the instruction they have given in their developer docs. The signature I am generating (expectedHash) is not matching the signature that I am receiving from Facebook (signatureHash). I think I am following what they are saying but I am doing something wrong which I cannot pinpoint yet.

Validating Payloads

We sign all Event Notification payloads with a SHA256 signature and
include the signature in the request’s X-Hub-Signature-256 header,
preceded with sha256=. You don’t have to validate the payload, but you
should.

To validate the payload:

Generate a SHA256 signature using the payload and your app's App Secret.
Compare your signature to the signature in the X-Hub-Signature-256 header (everything after sha256=). 
If the signatures match, the payload is genuine.

Please note that we generate the signature using an escaped unicode
version of the payload, with lowercase hex digits. If you just
calculate against the decoded bytes, you will end up with a different
signature. For example, the string äöå should be escaped to
u00e4u00f6u00e5.

Below is my code in lambda

def lambda_handler(event, context):

response = {
    "status": 500,
    "body" : "failed"
}

print("event is")
print(event)

signature = event["headers"]["X-Hub-Signature-256"]
if(not signature):
    return(f"couldn't find {signature} in headers")
else:
    elements = signature.split("=")
    print("elements is")
    print(elements)
    
    signatureHash = elements[1]
    print("signature hash is " + str(signatureHash))
    
    app_secret = os.environ.get('APP_SECRET')
    print("app_secret is " + str(app_secret)) 
    
    
    expectedHash = hmac.new(bytes(app_secret,'utf-8') ,digestmod=hashlib.sha256).hexdigest()
    print("expected hash is " + expectedHash)
    
    if(signatureHash != expectedHash):
        return response
    else:
        response["status"] = 200
        response["body"] = expectedHash
        return response

response I am getting is:

{ "status": 500, "body": "failed" }

expected response:

{ "status": 200, "body": value of expectedHash }

Could you please help me with this?

Edit 1:

Figured out how to do it.

Apparently I was using a wrong content mapping in AWS API Gateway. I needed to use the $input.body to get the raw payload data in the event argument of AWS lambda handler function. My content mapping looks like this:

#set($allParams = $input.params())
{
    "method": "$context.httpMethod",
    "params" : {
        #foreach($type in $allParams.keySet())
        #set($params = $allParams.get($type))
        "$type" : {
              #foreach($paramName in $params.keySet())
              "$paramName" : "$util.escapeJavaScript($params.get($paramName))"
              #if($foreach.hasNext),#end
              #end
        }
        #if($foreach.hasNext),#end
        #end
    },
    
    "body" : $input.body
    
}

Below is my lambda handler function for validating payload:

def lambda_handler(event, context):

response = {
    "status": 500,
    "body" : "failed"
}

print("event is")
print(event)

signature = event["params"]["header"]["X-Hub-Signature-256"]

if(not signature):
    return(f"couldn't find {signature} in headers")
else:
    try:
        elements = signature.split("=")
        print("elements is")
        print(elements)
        
        signatureHash = elements[1]
        #print("signature hash is " + str(signatureHash))
        
        app_secret = os.environ.get('APP_SECRET') 
        
        key = bytes(app_secret, 'UTF-8')
        payload = event['body']
        json_string = json.dumps(payload)
        print("payload json_string is " + json_string)
    
        expectedHash = hmac.new(key, msg=json_string.encode(), digestmod=hashlib.sha256).hexdigest()
        
        print("expected hash is " + expectedHash)
        
        if(signatureHash != expectedHash):
            print(response)
            return response
        else:
            response["status"] = 200
            response["body"] = expectedHash
            print(response)
            return response
    except Exception as e:
        return e

As of 12/14/2022, the above function works for all webhook fields except messages (which is the one I really need). Trying to figure it out.

Tags:

2

Answers


  1. 0

    This is your code but using Lambda Proxy Integration, so event keys are a bit different, event["body"], is a raw string, then you can parse it to get the elements you need from it, i think that is easier than all the mapping stuff without the lambda proxy:

    import os
import json
import hmac
import hashlib

def lambda_handler(event, context):

    response = {
        'statusCode': '200',
        'body' : "OK"
    }
    
    
    print("event is")
    print(event)

    
    signature = event["headers"]["X-Hub-Signature-256"]
    
    if(not signature):
        response["body"] =  (f"couldn't find {signature} in headers")
        return response
    else:
        try:
            elements = signature.split("=")
            print("elements is")
            print(elements)
            
            signatureHash = elements[1]
            #print("signature hash is " + str(signatureHash))
            
            app_secret = os.environ.get('APP_SECRET') 
            
            key = bytes(app_secret, 'UTF-8')
            payload = event['body']
            #json_string = json.dumps(payload)
            #print("payload json_string is " + json_string)
        
            expectedHash = hmac.new(key, msg=bytes(payload,'UTF-8'), digestmod=hashlib.sha256).hexdigest()
            
            print("expected hash is " + expectedHash)
            
            if(signatureHash != expectedHash):
                response["body"] = "eh " + expectedHash + " sh " + signatureHash
                print(response)
                return response
            else:
                response["statusCode"] = 200
                response["body"] = "Check ok"
                print(response)
                return response
        except Exception as err:
            response["body"] = f"Unexpected {err=}, {type(err)=}"
            return response
    Login or Signup to reply.
  2. 0

    I ran into this problem a few days ago and have been tearing my hair out trying to figure it out. But I finally have an answer for you!

    Initially I thought the problems I was having were related to one of the following:

    • API Gateway automatically decoding the raw bytes and passing the decoded json object to my lambda function. Then not being able to encode back into the correct raw bytes (i.e some spacing data or something had been lost). I thought this because I had seen Javascript and Python(Flask) applications validating the raw bytes before decoding the request body.
    • Something to do with that disclaimer in the documentation you referenced regarding "escaped unicode version of the payload, with lowercase hex digits".
    • Not using the correct "App secret".

    One of these was correct – it’s the App Secret!

    So it turns out there are THREE keys relating to your facebook/whatsapp application. I was trying everything I could with the 2 you usually use, namely:

    • The Verify token (which you set yourself and use when setting up your webhook – in the GET request).
      Verify Token
    • The Access token (which you use when interacting with messages or downloading media – basically in any call to the messages endpoint)
      Access Token

    But there is a THIRD! The App Secret! Found here:
    App Secret

    Using this "App Secret" – the following code will validate your incoming payload (assuming you have an environment variable on your lambda function called "FB_APP_SECRET" containing that third key shown above):

    import hashlib
import hmac
import os

secret = os.environ["FB_APP_SECRET"]

def lambda_function(event, context):
  body = event["body"]
  sig = event["headers"]["X-Hub-Signature-256"]

  if not validate_signature(body, sig):
    print("Could not validate payload!")
    # ... Do whatever you want here.


def validate_signature(data, hmac_header):
  hmac_recieved = str(hmac_header).removeprefix("sha256=")
  digest = hmac.new(secret.encode("utf-8"), data.encode("utf-8"), hashlib.sha256).hexdigest()
  return hmac.compare_digest(hmac_recieved, digest)

    Obviously you should still do all the other checks to see if it’s a POST or GET, etc… This is just a minimal example.

    NOTE: I have confirmed this works with their disclaimer example of "äöå"

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search