Greetings,
I am trying to have the Whatsapp API implemented on my side for a web app ,and on the docs they say and i quote
Validating Payloads
We sign all Event Notification payloads with a SHA256 signature and include the signature in the request’s
X-Hub-Signature-256
header, preceded withsha256=
. You don’t have to validate the payload, but you should.To validate the payload:
- Generate a SHA256 signature using the payload and your app’s App Secret.
- Compare your signature to the signature in the
X-Hub-Signature-256
header (everything aftersha256=
). If the signatures match, the payload is genuine.
found on this Link
Now, on my side i get the payload and i use it to generate the hash but, the payload is wrong
Var payloadMB As MemoryBlock = payload
Var hmac As MemoryBlock = Crypto.HMAC(wpT, payloadMB, Crypto.HashAlgorithms.SHA256)
Var hmacString As String = hmac.StringValue(0, hmac.Size)
Var generatedSignature As String = EncodeHex(hmacString).Lowercase
As a sample data i have the signature
signature256 : 4591c0e7d6f4107932b3c497153a4b9845b99e6893ed308e6224e2a879ad680f
the payload
payload : {“object”:“whatsapp_business_account”,“entry”:[{“id”:“0”,“changes”:[{“field”:“message_echoes”,“value”:{“messaging_product”:“whatsapp”,“metadata”:{“display_phone_number”:“16505551111”,“phone_number_id”:“123456123”},“message_echoes”:[{“from”:“16315551181”,“to”:“11234567890”,“id”:“ABGGFlA5Fpa”,“timestamp”:“1504902988”,“type”:“text”,“text”:{“body”:“this is a text message”}}]}}]}]}
the hmacString
hmacString : uá
Q
ó÷Ù{v§ì°,æ% E&oÙªfÁe
and the generated signature
generatedSignature : 129675e16011a05160f32a03f7d97b76a7ecb02ce6252045266fd9aa66c1652a
Which they don’t really match, so the question would be, What XOJO is using as HMAC ? is there a different version in the Crypto module ? as it seems that the signature does not match the generated one.
Thanks