Webhook API sha1 validation

peter · July 21, 2017, 2:46pm

Could you supply the exact text string used as the ‘’ in the sha1 generation example at the bottom of the document https://poynt.github.io/developer/doc/webhooks.html that results in the Poynt-Webhook-Signature supplied in the example? I’ve tried a variety of strings based on the example payload and not yet come up with a format that generates the supplied signature (lots of other signatures unfortunately).

Alternatively, another example would also be great. Just need to understand the string format used by the signature generator so I can validate successfully.

Thanks much!

–peter

dennis · July 22, 2017, 4:31pm

@peter here’s an example web hook:

POST /webhook_listener.php HTTP/1.1
Content-Type: application/json
poynt-webhook-signature: LsLMMShBDVjuPLrejYpkAsCU4YY=
Content-Length: 677
Host: ad4df697.ngrok.io
User-Agent: Apache-HttpClient/4.3.3 (java 1.5)
Accept-Encoding: gzip,deflate
X-Forwarded-Proto: https
X-Forwarded-For: 50.16.107.250

{"createdAt":"2017-07-22T16:27:08Z","updatedAt":"2017-07-22T16:27:08Z","links":[{"href":"https://services.poynt.net/businesses/469e957c-57a7-4d54-a72a-9e8f3296adad/transactions/b88ce811-3e43-4ae4-9d50-c32f9554ef79","rel":"resource","method":"GET"}],"id":"e79ab430-f3ff-4d24-abcd-a366c74c9138","deviceId":"urn:tid:d23eaeca-675f-3766-9c51-f6a0707e2587","hookId":"174026fd-e185-4930-9917-44323fc98d03","applicationId":"urn:aid:6bdee3b0-ced0-4263-ac4e-f783acc9857e","resource":"/transactions","resourceId":"b88ce811-3e43-4ae4-9d50-c32f9554ef79","eventType":"TRANSACTION_REFUNDED","businessId":"469e957c-57a7-4d54-a72a-9e8f3296adad","storeId":"d1f94f81-6257-41ce-83a8-54bf233fc78d"}

Note poynt-webhook-signature: LsLMMShBDVjuPLrejYpkAsCU4YY=

And here’s the validation:

[Sat Jul 22 09:27:29 dennis: ~/Downloads] echo -n '{"createdAt":"2017-07-22T16:27:08Z","updatedAt":"2017-07-22T16:27:08Z","links":[{"href":"https://services.poynt.net/businesses/469e957c-57a7-4d54-a72a-9e8f3296adad/transactions/b88ce811-3e43-4ae4-9d50-c32f9554ef79","rel":"resource","method":"GET"}],"id":"e79ab430-f3ff-4d24-abcd-a366c74c9138","deviceId":"urn:tid:d23eaeca-675f-3766-9c51-f6a0707e2587","hookId":"174026fd-e185-4930-9917-44323fc98d03","applicationId":"urn:aid:6bdee3b0-ced0-4263-ac4e-f783acc9857e","resource":"/transactions","resourceId":"b88ce811-3e43-4ae4-9d50-c32f9554ef79","eventType":"TRANSACTION_REFUNDED","businessId":"469e957c-57a7-4d54-a72a-9e8f3296adad","storeId":"d1f94f81-6257-41ce-83a8-54bf233fc78d"}' | openssl sha1 -hmac "not-the-secret-you-know" -binary | base64
LsLMMShBDVjuPLrejYpkAsCU4YY=
[Sat Jul 22 09:28:05 dennis: ~/Downloads]

Note that the hash produced matches what was sent in the request.

peter · July 27, 2017, 6:46pm

Thanks Dennis. Appreciate the help!

I’ve created a gist with a python implementation of this methodology. Feel free to share or republish.

gist.github.com

https://gist.github.com/peterkools/9a3f0eab3072cf6d97a8071ec3d47a39

gistfile1.txt

# Python3 example demonstrating the Poynt webhook signature verification

from base64 import b64encode
import hmac
import hashlib
import json

data = json.loads("""{
  "createdAt": "2017-07-22T16:27:08Z",
  "updatedAt": "2017-07-22T16:27:08Z",

This file has been truncated. show original

–peter

dennis · July 29, 2017, 2:20am

Very cool, Thank you!