2

我需要在我的节点 js 项目中验证 Xero webhook。这是验证的 Xero 文档步骤:https ://developer.xero.com/documentation/webhooks/creating-webhooks#STATUS

var crypto = require("crypto")
function getHmacSha256(message, secret) {
        return crypto.createHmac("sha256", secret).update(message).digest("base64")
}

// webhookPayload and signature get from webhook body and header
const webhookPayload = {
  events: [],
  firstEventSequence: 0,
  lastEventSequence: 0,
  entropy: 'OSHPXTUSXASRFBBCJFEN'
}
const signature = "OXLaeyZanKI5QDnLkXIVB35XrZygYsPMeK8WfoXUMU8="


const myKey = "1y5VYfv7WbimUQIMXiQCB6W6TKIp+5ZZJNjn3Fsa/veK5X/C8BZ4yzvPkmr7LvuL+yfKwm4imnfAB5tEoJfc4A=="

var hash = getHmacSha256(JSON.stringify(webhookPayload), myKey)

//If the payload is hashed using HMACSHA256 with your webhook signing key and base64 encoded, it should match the signature in the header.

if (signature === hash) {
     return res.status(200).end()
}else{
     return res.status(401).end() 
}

每次我的签名和哈希都不同,所以每次都返回 401。所以我没能完成Intent to receive

4

1 回答 1

3

根据您的描述,我的猜测是您无意中修改了请求正文。您需要接受来自 webhook 事件的原始请求正文而不进行修改。如果这个主体被完全修改,您的代码将无法验证签名,并将无法通过 Xero 的“接收意图”验证。查看此博客文章了解详细信息。

于 2021-01-04T18:23:37.030 回答