whatsapp-cloud-api icon indicating copy to clipboard operation
whatsapp-cloud-api copied to clipboard

Published 20 hours ago verified publisher icon tawn33y

validate payloads as recommended by meta

Open hamza-shezad opened this issue 1 year ago • 1 comments

as mentioned in https://developers.facebook.com/docs/graph-api/webhooks/getting-started, event notifications should be validated with the sha256 hash provided in the X-Hub-Signature-256 this will ensure secure communication, and help rejecting bad requests

hamza-shezad avatar Aug 29 '23 07:08 hamza-shezad

i have a solution for this:

function validateHash(req, res, next) {
  if (req.method == "GET") {
    next();
    return;
  }

  const hash = createHmac("sha256", APP_SECRET).update(JSON.stringify(req.body)).digest("hex");
  const splitHash = req.get("X-Hub-Signature-256").split("=")[1];
  if (splitHash != hash) {
    res.sendStatus(200);
    return;
  }

  next();
}

whatsappApi.startExpressServer({
  useMiddleware: (app) => {
    app.use(WEBHOOK_PATH, validateHash)
  }
})

but there is a problem with this: if there is an @ in the response, an invalid signature is produced. e.g. if i send a message with an email, the signatures do not match. this may be due to express.json middleware in https://github.com/tawn33y/whatsapp-cloud-api/blob/32270afa807b398f4d02e91a7018f0c1721f0575/src/startExpressServer.ts#L26

or some formatting applied by whatsapp? how can i verify this?

hamza-shezad avatar Aug 29 '23 12:08 hamza-shezad

Closing - please read more here.

tawn33y avatar Jul 25 '24 04:07 tawn33y