Don't add header to the body of webhook or remove the headers later

Questions
1

:bullseye: What is your goal?

Authenticate webhook using HMAC

:thinking: What is the problem & what have you tried?

The webhook passes the HMAC digest in the webhook header. When the option “parse headers” is enabled for webhook, the headers are added as an array to the body of the webhook. To calculate my own HMAC digest for comparison, the Python code is:

 digest = hmac.new(secret, msg=data, digestmod=hashlib.sha256).digest()
 calculated_signature = base64.b64encode(digest)

So I need to use the body of the webhook in the sha256() function, which I set as

sha256(webhook_bundle;base64;secret;text)

This will always be different since the body of the webhook as changed.

Sample webhook

[
    {
        "order_number": "webhook_12345",
        "partner_order_id": "webhook_12345",
        "fulfillment-status": "canceled"        
        "__IMTHEADERS__": [            
            {
                "name": "x-hmac-sha256",
                "value": "JMHimfnNPO0"
            }
        ]
    }
]

Is it possible to get the header value without it being added to the body or remove the array during the HMAC calculation?

3

Hi,

That’s expected in Make. When Parse headers is enabled, Make always adds the headers to the bundle under IMTHEADERS, and there’s no way to prevent that.

The workaround is simply to exclude IMTHEADERS from the data you hash. Rebuild the body without that field and use it for the HMAC calculation. You can still read the signature value directly from IMTHEADERS for the comparison.

Once you do that, the calculated HMAC will match.

Hope this helps.

Regards, Tony