Webhook/API Poll Signature Broken?


#1

I’m desperately trying to make an integration of the instant payments (with a rails app)… The vast majority of functionality has been implemented for my app, but I am completely stuck at the point of verifying signatures for the Webhook using the SHA256 hmac hash. Instead of sending a bunch of ETN to myself, I decided to try and verify payments I already made using API polls. Well, first issue is, hmac is sensitive to spaces, and line breaks, and not all languages seem to treat those the same when encoding them. Second issue, I tried pretty much every single possible combination of spacing with both the rails hmac digest function and multiple online hmac generators, and all of them returned “signature verification failed”. Using a test webhook generated in the vendor settings on the electroneum website, I simple couldn’t get my sha256 hmac hash to match with the webhook header provided either. Also, the test webhooks also seem to be broken, as the payment ids generated have dozens of 0 s appended to them, when they should be 10 digit hexadecimal strings. Could anyone who has gotten webhook signatures to work help me here? Or could someone from the ETN team give me a random json body a random api secret key with the valid hmac hash so I can try to get the same result? Does anyone know what spacings/line breaks should be used when encoding the JSON body?

Also, if anyone from the ETN team reads this, please consider making all of this clearer in the guide, as this could be a really bad limiting factor as to how many developers are working on instant payment integrations…

Thanks!


#2

Update: I fixed it… So to anyone having that issue, keep in mind you should not test your hmac signature verification with the test webhook generated in the vendor settings area and a REST client such as Insomnia, as the test webhook generated is spaced and formatting for better reading… However, this spacing is taken into account when generating the hmac hash, and that spacing is different from that of a webhook sent by etn for a real payment, and the test signature will not match with your hmac hash. Also, I think the test webhooks may be broken, given the endless string of zeroes appended to the payment ids and I could not find a way to match an hmac hash with the test signature, regardless of spacing. However, they do work fine testing webhook handling and payment verification without the signatures. My advice would be to get a friend who also has an etn account, borrow his wallet, (ask first obviously :)), send him some etn and use it to debug using tiny real etn instant payments, close to the minimum of 0.1ETN to not drain the wallet to quickly :slight_smile: By the way, implementation coming soon guys!!! :smile:


#3

May I also add, to debug efficiently I’d suggest making a real webhook, printing the body and signature to the console separately and running the exact php code provided in the API guide (you can do that with an online php sandbox such as https://www.runphponline.com/). If you can get the php hash to match with the signature, you can then work backwards from there to port that to whatever language you’re using…


#4

Hi,

Thanks for the feedback, it’s always good to know how we can help developers save time and integrate more easily.

The API Guide has been updated to clarify the spacing & formatting on the test webhook. This decision was made for ease of reading.

Egg