Chat Webhook Sendbird Signature Authentication

Sendbird Chat API/SDK JavaScript
1

Hello! I recently started running into issues with verifying the x-sendbird-signature in the webhook whenever the payload.message contains any emojis or characters like a single quote ' or a double ". In these cases, the x-sendbird-signature never matches with the hash that is generated.
I noticed that the raw payload contains the unicode value (\u2018) where as the parsed payload didnt ('). This is in node.

Any normal message that doesn’t have those specific characters and emojis are authenticated correctly. Any ideas on what I can do to fix this issue? Thank you!

3

Could you please send me the webhook payload?

image
image752×884 19.3 KB

4

Here are three payload snippets

{
    "category": "group_channel:message_send",
    "type": "MESG",
    "payload": {
        "custom_type": "",
        "created_at": 1655332940593,
        "translations": {},
        "message": "you don’t see this",
        "data": "",
        "message_id": 6804334542
    },
    "sdk": "JavaScript"
}

"payload": {
        "custom_type": "",
        "created_at": 1655335263670,
        "translations": {},
        "message": "“Double quotes”",
        "data": "",
        "message_id": 6804351970
    },

"payload": {
        "custom_type": "",
        "created_at": 1655337443634,
        "translations": {},
        "message": "👍",
        "data": "",
        "message_id": 6804371926
    },
5

There is no problem with webhook API transmission.
“There was a problem verifying the x-sendbird-signature in the webhook” I don’t know what the problem is, can you explain in detail?

image
image622×641 23.4 KB 

  "type": "MESG",
  "payload": {
    "custom_type": "",
    "created_at": 1655354951765,
    "translations": {},
    "message": "👍",
    "data": "",
    "message_id": 1914544498
  },
  "channel": {
    "is_distinct": false,
    "name": "dup_ch",
6

Thanks for checking on this for me, by the way!
This is the section in the docs - Overview | Chat Platform API | Sendbird Docs

To clarify, I’m having an issue matching the x-sendbird-signature with the hash only when certain characters are in the message. If it’s a simple message such as Hello, how are you doing?, the generated hash and x-sendbird-signature match successfully. However, when emojis or single/double quotes are in the message, the generated hash is different from the x-sendbird-signature.

const hash = crypto
      .createHmac('sha256', SENDBIRD_API_TOKEN)
      .update(JSON.stringify(body))
      .digest('hex');
7

The comparison part of x-sendbird-signature seems to be different. For x-signature, non-ASCII characters like emojis are different.
const signature = req.get(‘x-sendbird-signature’);
Is the whole code correct?

// The body should be a string.
// Validation can fail if the body is passed as a JSON object and then stringified.
app.post('/sendbird-xsig', express.text({ type: 'json' }), (req, res) => {
  const body = req.body;
  const signature = req.get('x-sendbird-signature');
  const hash = crypto.createHmac('sha256', API_TOKEN).update(body).digest('hex');

  req.body = JSON.parse(req.body);  // Convert the body to JSON after creating the hash.
  signature == hash ? res.send(200) : res.send(401);    // Check if the value of 'x-sendbird-signature' matches the hash.
});
8

Yes, as far as I can tell, the code looks correct based on the documentation. To confirm we are using x-sendbird-signature and generating the hash as instructed, but for some reason whenever there is an emoji, ', or " the comparison fails.

9

Hi @Sam_Kim,

I think one important thing to note here, is that in your example, you’re stringifying the body before checking the hash. In practice, you should receive the payload as a string, and then JSON.parse() after you’ve matched the hash. Converting to a string can change the body. You can see in the sample that Scott provided, we explicitly set express.text().

10

Yes, I’ve tried that as well with no luck. I’ll try it again in case I missed anything.