Hello! I recently started running into issues with verifying the x-sendbird-signature in the webhook whenever the payload.message contains any emojis or characters like a single quote ' or a double ". In these cases, the x-sendbird-signature never matches with the hash that is generated.
I noticed that the raw payload contains the unicode value (\u2018) where as the parsed payload didnt ('). This is in node.
Any normal message that doesn’t have those specific characters and emojis are authenticated correctly. Any ideas on what I can do to fix this issue? Thank you!
There is no problem with webhook API transmission.
“There was a problem verifying the x-sendbird-signature in the webhook” I don’t know what the problem is, can you explain in detail?
To clarify, I’m having an issue matching the x-sendbird-signature with the hash only when certain characters are in the message. If it’s a simple message such as Hello, how are you doing?, the generated hash and x-sendbird-signature match successfully. However, when emojis or single/double quotes are in the message, the generated hash is different from the x-sendbird-signature.
The comparison part of x-sendbird-signature seems to be different. For x-signature, non-ASCII characters like emojis are different.
const signature = req.get(‘x-sendbird-signature’);
Is the whole code correct?
// The body should be a string.
// Validation can fail if the body is passed as a JSON object and then stringified.
app.post('/sendbird-xsig', express.text({ type: 'json' }), (req, res) => {
const body = req.body;
const signature = req.get('x-sendbird-signature');
const hash = crypto.createHmac('sha256', API_TOKEN).update(body).digest('hex');
req.body = JSON.parse(req.body); // Convert the body to JSON after creating the hash.
signature == hash ? res.send(200) : res.send(401); // Check if the value of 'x-sendbird-signature' matches the hash.
});
Yes, as far as I can tell, the code looks correct based on the documentation. To confirm we are using x-sendbird-signature and generating the hash as instructed, but for some reason whenever there is an emoji, ', or " the comparison fails.
I think one important thing to note here, is that in your example, you’re stringifying the body before checking the hash. In practice, you should receive the payload as a string, and then JSON.parse() after you’ve matched the hash. Converting to a string can change the body. You can see in the sample that Scott provided, we explicitly set express.text().