Error with webhook authentication documentation?

(Galenweber) #1

I believe there may be an error with the javascript webhook authentication documentation detailed here:

The javascript code shown is:

var verifyGatewaySignature = function(proposed_signature, webhook_secret, payload_body) {
  var crypto    = require('crypto')
  , secret      = 'API_SECRET_HERE'
  , text        = webhook_secret + payload_body
  , hash;

  hash = crypto.createHmac('sha1', secret).update(text).digest('hex');

  return proposed_signature === hash;

I believe the 'API_SECRET_HERE' should not be included. Running this code failed for me. However, when I re-wrote it as the below, it worked perfectly (as in, webhooks from Dwolla returned true). I pulled the webhook_secret out of the variable assignment for text, and used that webhook_secret rather than my API secret in the hash function.

var verifyGatewaySignature = function(proposed_signature, webhook_secret, payload_body) {
  var crypto    = require('crypto')
  , hash;

  hash = crypto.createHmac('sha1', webhook_secret).update(payload_body).digest('hex');

  return proposed_signature === hash;

Let me know if I’m mistaken about this.


(Spencer Hunter) #2

Ah, Thanks for pointing this out and apologies for the confusion! This should be your webhook secret that you passed in when first creating the webhook subscription and not your API secret. I’ll get the documentation updated to reflect the correct secret.

Important notice: An announcement will be coming shortly with regards to update to webhook signing. We’ll be setting a timeline to deprecate the existing X-Request-Signature which uses SHA1 to the new X-Request-Signature-Sha-256 which uses a SHA256 hash has when signing webhooks. To make the transition seamless, we’ve included a new X-Request-Signature-Sha-256 header to all webhooks.

(Galenweber) #3

Thanks Spencer,

And just the second thing I believe you will have to update is the assignment of text (which gets passed to the crypto update function). In the current documentation (quoted below), you concatenate the webhook secret with the payload body. I believe it should just be the payload body.

(Charlie Heath) #4

Where does the secret come from if you create the webhook from the application using add/remove application features?

(Spencer Hunter) #5

@TownWebsites, When you register a webhook url in your application’s settings then this will be for receiving webhooks when working with API v1. As mentioned in this guide, you’ll use your application’s client_secret when validating the webhook request from Dwolla.

(Charlie Heath) #6

I can’t find a definition of the client_secret. Is this the secret listed in the registered applications screen beneath the key, same secret as is used for the redirect verifyGatewaySignature()?

(Spencer Hunter) #7

Correct. Your Application Key = client_id and your Application Secret = client_secret.