Webhooks: generated signatures are not matching with Proposed signatures

Hello,
I’m trying to authenticvalidate webhooks in PHP following this guide https://developers.dwolla.com/guides/webhooks/validating-webhooks#step-3-validating-webhooks.

The generated signature is not matching the proposed signature from Dwolla

Here is the code snippet for my code:
public function verify_gateway_signature($proposedSignature, $payloadBody)
{
$signature = hash_hmac(‘sha256’, $payloadBody, $this->webhook_secret);
Logger::info('GeneratedSignature: ’ . $signature);
return [‘generated_signature’ => $signature, ‘is_valid’ => $signature == $proposedSignature];
}

And reading the proposed signature from headers:
$request->header(‘X-Request-Signature-SHA-256’);

Hi Brijesh! Would you be able to share your accountID or your Webhook subscription ID?
It is possible that you may have multiple Webhook subscriptions and that you may be comparing the signature of the webhook sent for subscription A with the one you set for subscription B. Again, just a speculation that I thought we’d confirm is not the case before diving deep!

Hi Shreya,

Thanks for getting back. I found the issue and it was due to the escaped characters when converting Dwolla payload to string. I was able to fix it by encoding Dwolla payload to string without escaping “/”.

Thanks again.

Hi Brijesh – glad you were able to find that out! Thanks for posting an update! :slight_smile:

1 Like

@shreya I am facing a similar problem. I only have one active webhook subscription. Details are below

raw request body

b'{"id":"eb3d9fc7-51ec-48c3-ab1f-f2373d0e8b17","resourceId":"96651221-b959-eb11-812c-fa7f62b274da","topic":"customer_bank_transfer_created","timestamp":"2021-01-18T18:15:24.454Z","_links":{"self":{"href":"https://api-sandbox.dwolla.com/events/eb3d9fc7-51ec-48c3-ab1f-f2373d0e8b17"},"account":{"href":"https://api-sandbox.dwolla.com/accounts/e3385207-c007-48a9-b958-02af4ff3ebd8"},"resource":{"href":"https://api-sandbox.dwolla.com/transfers/96651221-b959-eb11-812c-fa7f62b274da"},"customer":{"href":"https://api-sandbox.dwolla.com/customers/05fbaa35-a2be-43c1-b64f-66f2edc4fab0"}},"created":"2021-01-18T18:15:24.454Z"}'
Secret: u_RiRCONj_6G0EMO46pbPXjuH1lJPpqMyQtr9kabHsE=
signature: f38a248ce1e80377076c9aa15ebb573d29d40e382f3d63a17b9d372fd334d156

List of webhook subscription

{
    "_links": {
        "self": {
            "href": "https://api-sandbox.dwolla.com/webhook-subscriptions",
            "type": "application/vnd.dwolla.v1.hal+json",
            "resource-type": "webhook-subscription"
        }
    },
    "_embedded": {
        "webhook-subscriptions": [
            {
                "_links": {
                    "self": {
                        "href": "https://api-sandbox.dwolla.com/webhook-subscriptions/5efebaa5-d98e-450b-8668-2690bae22231",
                        "type": "application/vnd.dwolla.v1.hal+json",
                        "resource-type": "webhook-subscription"
                    },
                    "webhooks": {
                        "href": "https://api-sandbox.dwolla.com/webhook-subscriptions/5efebaa5-d98e-450b-8668-2690bae22231/webhooks",
                        "type": "application/vnd.dwolla.v1.hal+json",
                        "resource-type": "webhook"
                    }
                },
                "id": "5efebaa5-d98e-450b-8668-2690bae22231",
                "url": "https://api-dev.payloqal.com/api/external/provider/webhook/w7g0EwKYyeLtvUZJVLds5EPHf7FLio2976BuUgkoUhS8ZleUDaz1R621uwG3fx0WH3KBC32b7yYFYUC0g1CIiSzLrPxbdkvXn0Eg8ukAnjvBVqcJIaSBKPPnW3UhAGfo/",
                "paused": false,
                "created": "2021-01-18T17:59:27.321Z"
            }
        ]
    },
    "total": 1
}

Hey @PriyanshuJain – Thanks for posting the above details!

I am seeing the same Signature as well on the webhook we sent you for the above event.

signature: f38a248ce1e80377076c9aa15ebb573d29d40e382f3d63a17b9d372fd334d156

Unfortunately, I’m unable to view the secret you used to create the subscription on our end. I cross checked with an online HMAC-SHA256 generator tool to check my results, and was unable to create the same hash with the secret you posted. I’d check that the secret is accurate, and the code you’re using to create the SHA256 HMAC hash is creating the hash properly.

Let me know if I can help check anything on my end!

@shreya Thanks for the response. We had an internal issue with the request body encoding. It’s resolved and signature is working fine.

Great! Thanks for the update! :slight_smile: