Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with the HMAC signature and response code #1827

Open
mermetbt opened this issue Oct 30, 2023 · 3 comments
Open

Problem with the HMAC signature and response code #1827

mermetbt opened this issue Oct 30, 2023 · 3 comments

Comments

@mermetbt
Copy link

Hello,

I'm trying to test the webhook with Xero and they state in their documentation that:

If the payload is hashed using HMACSHA256 with your webhook signing key and base64 encoded, it should match the signature in the header. This is a correctly signed payload. If the signature does not match the hashed payload it is an incorrectly signed payload.

I've configured the webhook following their instruction

Screenshot_20231030_180521

I can see in the log that the error message is "Invalid Signature - Hash does not match"

Also, I've seen in their doc that:

To gain Intent to receive validation, the receiving url must respond with a 2xx status for all correctly signed payloads and status: 401 Unauthorized for all incorrectly signed payloads.

And the response sent in the log is 400 Bad Request, which is different from an unauthorized request. I would expect an authentication failure to return a 401.

How could I configure this? Is there an easy way to see what the webhook received and failed to process? like a deadletter queue or something we could use to investigate or detect issues on the upstream?
@jirevwe
Copy link
Collaborator

jirevwe commented Oct 30, 2023

Hi @mermetbt

if I understand you correctly:

  1. You specifically require a mismatched signature error to return a 401 code. For this, we would need to modify the API. It might take a while since the change will go out in the next release.
  2. If the event's signature did not match, it means Convoy did not ingest it and it wasn't written to the internal queue. We don't log request/response bodies even on the OSS version because of security so looking at the logs won't bear any fruit on that front. We do however expose a UI that can be used to inspect the queues and you can view them by visiting http(s)://your-host/queues/monitoring/ The trailing slash is required.

@mermetbt
Copy link
Author

  1. As there might be different implementation of the authentication protocol, I would suggest a way to configure this as an advance part of the the authentication configuration. I understand it could take a while to implement this, I'm not expecting this to be released ASAP.
  2. What I mean is that for all events that doesn't pass (invalid signature, bad request, ...), you should probably have a deadletter queue where they are sent for debugging. Then you can provide a display for theses types of events.
    For example, here what it look like in the developer section of Stripe:

Screenshot_20231031_122746

I just put that as a suggestions for improvements.

@jirevwe
Copy link
Collaborator

jirevwe commented Oct 31, 2023

Hmm, that makes sense. Thanks for the suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mermetbt @jirevwe