I’m trying to validate the contents of a webhook payload from the whatsapp webhooks using the steps in the .Facebook developer docs,
I dont understand what this mean
Please note that we generate the signature using an escaped unicode version of the payload, with lowercase hex digits. If you just calculate against the decoded bytes, you will end up with a different signature. For example, the string äöå should be escaped to u00e4u00f6u00e5.
that why I’ve always got false when comparing hash value And i want to make it in php/laravel.
after sometimes i tried to use
$knownSignature = (new UnicodeString($request->getContent()))->normalize(UnicodeString::NFKC);
and
$knownSignature = Str::ascii($request->getContent());
But still doesnt match.
event when i tried to convert äöå it still outputting u00e4u00f6u00e5
2
Answers
I've done just like @CBroe said it did not work in my previous function, but when I remake it like this its works
Just like @CBroe said you need to hash the raw request
The answer @Blue Moon gave does compare strings with the === operator, which is not safe to do when comparing user-provided strings / hashes. You should use
hash_equals()
(https://www.php.net/manual/en/function.hash-equals.php) to avoid timing attacks!Also, @Patel TiLAK – using $request->getContent() does work, maybe you did not use the correct
App Secret
?