And you can see from the pattern that all a webhook verification has to do is extract whatever the issuer sends as the mechanism to verify it (usually a mix of a signature in a header and some payload) and then you can be certain the payload comes from a trusted source.
The the signature in the header that is generated from woocommerce and sent back looks like this
0xgKvD7mDllCK6aHDZuRbPvyF+Ac0OKh1BmlS6QFMkU=
But if I mock a signed webhook I get below…
sha256=7d916807f8bbef2376c8b0224c5d4f7303664cecc0345fbafe8b89a1ac2ea9b6 with the SHA at the front.
Noting the “sha256=…”
There is some conflicting docs out there for WC. I found a reference to the fact that the woocommmerce signature is base64 encoded and if I mock the signed webhook using base64Sha256Verifier the key looks to be in a similar shape (without the sha…)
So I have
changed my code to use base64Sha256Verifier
successfully tested in jest
tried to send the real webhook my way and it’s still returning 401.
Not sure where to go to from here from a troubleshooting point of view
I too had problems using the built-in webhook verifiers in my own application in Redwood.
I ended up basically reverse engineering it all, but my situation is different. The Webhook documentation was indeed helpful in leading the blind horse to the well (me being the blind horse haha) so no blame there.
I am using Vercel Serverless Functions and have a webhook from Shipstation being sent over to a js function in the app’s functions folder.
I couldn’t get it working with the normal verifier for Vercel intially and it seemed to be the verifier not my DB code triggering my Vercel errors.
I then just had the Serverless function just save whatever the request was skipping the verifier in case it wasn’t reading it right or something changed from Vercel’s side without notice.
That went through to my Railway DB so that was working, but it was indeed encoded as body was gibberish.
So I just basically did what the verifiers were doing in block but in js as the source was ts from what I found so some code was slightly different.
I’m curious if it is something with Vercel.
Maybe they modify the body in some way.
When the body is hashed it has to be the exact string that was hashed by the system that generates the HMAC signature.
If there’s even one character (e.g. new line or whitespace) modified then the hashes won’t match.
I experienced this with Slack webhooks and AWS lambda.
Have you tried using NGrok to test and debug locally?
I’ll try out NGrok. Pretty new to Web Dev world still haha.
I had tried going through Docs on the webhook testing via code and that was verbose.
And yes Vercel allowed me access to raw body. I basically passed along the whole Vercel event as a string to figure out what it was (which I’m pretty sure is also AWS Lambda under the hood).
Then the Vercel event has an isBase64Encoded boolean key and I just manually decoded to get a decoded raw event body.
Then in my case had to still do more decoding to get event decoded body parts.
Somewhere in there did seem to add new line breaks into the json which I believe I processed out before passing JSON to parsing.