Validating WebHook Secret

KevinS · ‎03-25-2024

Hello,

I'm working with Monitor 2023.3.1 and I am trying to use the webhook secret. What is the correct combination of form data and secret to validate the webhook on the receiving end?

I see it is SHA256 and the form param is X-Esrihook-Signature.

I've tried various permutations of the response body and the data, but i can't get them to match.

What data should i use to validate?

A second question, is it correct that the webhook secret only allows numbers?

Thanks!

Kevin

EvanMosby

Hi folks,

The dev team took a look at this and there is a bug related to the hashed value added to the X-esriHook-Signature header.

For future reference, it should be a sha256 as Kevin described above. Definitely a bug. We'll address this in the next release and include documentation how to match on the receiver side (similar to what Kevin originally went with)

Very sorry for the confusion here, and thanks,

View solution in original post

KevinHibma · ‎03-26-2024

I don't work on Monitor webhooks, but from your description of the SHA256 X-esrihook-Signature, it sounds like it's implemented the same as other Esri webhooks (feature service for example). The answer of "how" you validate in the receiver largely depends on the receiver itself. If you're using Power Automate or Make or some commercial receiver, you'll need to investigate what methods they have available.

The basic approach is to build up a string by adding: sha256= to the calculated encoded payload body using the sha256 hash. This provides the calculated signature that you can compare to the X-esrihook-signature.

The follow Python code represents how to do this. (myKey is a variable hardcoded into the script that matches the key you used in the webhook creation)

    import hashlib
    import hmac
    import base64
    encodeKey = str.encode(myKey)

    signature = 'sha256=' + base64.b64encode(hmac.new(encodeKey, payload,
                            digestmod=hashlib.sha256).digest()).decode()

    if signature == xsigHash:
        return True
    else:
        return False

KevinS · ‎03-26-2024

Yup, that's what I've got going on, tried different permutations too. but the keys don't match. To know what is used to create the X-Esrihook-Signature value, will greatly help the validation

KevinS · ‎03-28-2024

Just wanted to add more info to my original question. The data that comes across from Monitor in the

X-Esrihook-Signature is sha256=f10cd09d9d576e8e6ecaf4c8156c34fa12ece28a1b63059e6cc9f2cfea6fb4dc

Which isn't a base64 encode but the digest from the sha256. I don't claim to be an expert in this topic, so I might have the terms mixed up. But when i combine the secret with the message body, i can't get the SHA256 to match up.

KevinHibma · ‎03-28-2024

I'll see if I can find someone on the team who can confirm the details (base64, sha256, etc).

One thing - the payload body you're using, have you encoded it? Does it have any special characters or anything?

KevinS · ‎03-28-2024

No nothing fancy, at least I don't think so, when i grab it to make my hash I just use it as it is being send around in the webhook payload as bytes.

I'm pretty sure it is 256, but what i don't know is what was put into the hash. We assume the payload and secret, but i can't match them up.

EvanMosby

Hi folks,

The dev team took a look at this and there is a bug related to the hashed value added to the X-esriHook-Signature header.

For future reference, it should be a sha256 as Kevin described above. Definitely a bug. We'll address this in the next release and include documentation how to match on the receiver side (similar to what Kevin originally went with)

Very sorry for the confusion here, and thanks,

KevinS

Awesome Thanks Evan.