skip to Main Content

I’m trying to validate the contents of a webhook payload from the whatsapp webhooks using the steps in the .Facebook developer docs,

I dont understand what this mean

Please note that we generate the signature using an escaped unicode version of the payload, with lowercase hex digits. If you just calculate against the decoded bytes, you will end up with a different signature. For example, the string äöå should be escaped to u00e4u00f6u00e5.

that why I’ve always got false when comparing hash value And i want to make it in php/laravel.

after sometimes i tried to use

            $knownSignature = (new UnicodeString($request->getContent()))->normalize(UnicodeString::NFKC);

and

$knownSignature = Str::ascii($request->getContent());

But still doesnt match.
event when i tried to convert äöå it still outputting u00e4u00f6u00e5

This is Symfoni and Laravel docs for escape unicode string

2

Answers


  1. Chosen as BEST ANSWER

    I've done just like @CBroe said it did not work in my previous function, but when I remake it like this its works

    protected function validatePayloads(string $waSignature,string $payloads){
        $receivedSignature = explode('=', $waSignature)[1];
    
        $generatedSignature = hash_hmac(
            'sha256',
            $payloads,
            config('app.app_secret')
        );
    
        if($receivedSignature == $generatedSignature){
            return true;
        }else{
            return false;
        }
    }
    

    Just like @CBroe said you need to hash the raw request


  2. The answer @Blue Moon gave does compare strings with the === operator, which is not safe to do when comparing user-provided strings / hashes. You should use hash_equals() (https://www.php.net/manual/en/function.hash-equals.php) to avoid timing attacks!

    Also, @Patel TiLAK – using $request->getContent() does work, maybe you did not use the correct App Secret?

    private function verifySignature(Request $request)
    {
        $body = $request->getContent();
        $requestHash = 'sha256=' . hash_hmac('sha256', $body, config('services.whatsapp.app_secret'));
    
        if (!hash_equals($requestHash, $request->header('X-Hub-Signature-256'))) {
            return false;
        }
    
        return true;
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search