How to access raw webhook body in custom app webhook

matt8 · September 24, 2024, 7:12am

I am developing a custom app, and need to to handle verifying the authenticity of incoming webhooks.

I have set up the webhook and an instant trigger module, and receiving the webhooks is working properly.

However, in order to verify the webhook authenticity I need to perform an hmac hash of some headers and the webhook request body (the webhook follows the standard-webhooks format https://www.standardwebhooks.com/).

I can access the headers, but I can’t seem to access the raw text body of the request - {{body}} contains an already-parsed collection of the request body - I need access to the raw body text, as the input to the hash function must exactly match what was sent (including spaces and order).

The incoming webhook request has the header “content-type: application/json”.
Experimenting, if I send a webhook with “content-type: text/plain” then the raw request body is available (as {{body.value}}) and I can correctly calculate the hash.
So, it seems like Make is automatically detecting the content-type and parsing the request body for me.

Is there a way to access the raw body text? Or is there a way in the webhook communication block to override the content-type to get it to interpret it as text/plain?

For reference, here is some example code to pull out the headers, etc. and calculate the hash

{
	"temp": {
		// headers sent along with the webhook
		"webhook-id": "{{headers['webhook-id']}}",
		"webhook-timestamp": "{{headers['webhook-timestamp']}}",
		"webhook-signature": "{{headers['webhook-signature']}}",
		// Concatenate the webhook-id header, wehbook-timestamp header and the raw request body
		// This is used to calculate the hmac hash and compare against the signature in the header
		"signature-input": "{{headers['webhook-id']+'.'+headers['webhook-timestamp']+'.'body}}"
	},
	"output": {
		"body": "{{body}}",
		// calculate the signature
		"calculated-signature": "v1,{{sha256(temp['signature-input'], 'base64', '<webhook-secret>', 'text')}}",
		// and compare against the signature in the header
		"webhook-signature": "{{temp['webhook-signature']}}",
		// output the input to the hash function for debugging
		"signature-input": "{{temp['signature-input']}}"
	}
}

And a screenshot of the result
failing example

As you can see, when calculating the hash it renders the body as [Collection], instead of the raw body.

If I send a webhook with a different content-type: text/plain, then it works (accessing {{body.value}})
working example

Claire_Champourlier · October 1, 2024, 9:47am

Would something like createJSON do the job ?
ref : https://integromat.gitbook.io/apps/other/processing-of-json-strings-inside-a-json-object

system · October 31, 2024, 9:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Incoming Webhook Authentication Getting Started webhooks	9	3910	September 22, 2023
Custom Webhook / message content and signature How To	5	519	September 7, 2023
How to Capture Request Headers in an Instant Trigger Webhook? Custom Apps custom-apps	4	737	July 16, 2024
Confirm Webhook authenticity How To	4	714	September 7, 2023
Webhook - Instant Trigger - Parsed Items Custom Apps webhooks	1	211	July 16, 2024

How to access raw webhook body in custom app webhook

Related topics