X-sendbird-signature hash Inconsistency

Sendbird Voice/Video Calls JavaScript
1 
app.post("/K7ChatAdvDev/webchatapi/webhook",(req, res) => {
      console.log("웹훅 실행!!");
      console.log("req 내용!!");
      console.log(req);
      console.log("req body 내용!!");
      console.log(req.body);
      const body = JSON.stringify(req.body);
      console.log("1");
      const signature = req.get("x-sendbird-signature");
      console.log("2");
      const hash = crypto.createHmac('sha256', API_TOKEN).update(body).digest('hex');
      console.log("3");

      console.log(hash);
      console.log(signature);
      //body = JSON.parse(req.body); // Convert the body to JSON after creating the hash.
      console.log("4");
      console.log(body);
      console.log(hash);
      console.log(signature);
      if(signature == hash) {
        res.send(200);
        body = JSON.parse(req.body); // Convert the body to JSON after creating the hash.
        req.body.members[0].forEach(member => {
          console.log(member.is_online);
          if(!member.is_online) {
            sendPush(req.body);
          }
        });
      } else {
        res.send(401);
      } 
    });

x-sendbird-signature hash Inconsistency

x-sendbird-signature != hash ----> WHY???

2

Hello,

I think you’ve overlooked a critical piece of the documentation. You MUST receive the body of the webhook as text, and do not convert it to JSON. If you receive it as JSON in express, and then stringify it you’re technically altering the hash, and while this works sometimes it explains the inconsistencies you’re seeing.

Please take a look at the example again from our docs:

// JavaScript sample: how to check the 'x-sendbird-signature' header value.

const express = require('express');
const crypto = require('crypto');

const app = express();
const PORT = 5001;
const API_TOKEN = 'SENDBIRD_MASTER_API_TOKEN';  // The argument must be the master API token.
                                                // Secondary tokens won't work.

// The body should be a string.
// Validation fails if the body is passed as a JSON object and then stringified.
app.post('/sendbird-xsig', express.text({ type: 'json' }), (req, res) => {
  const body = req.body;
  const signature = req.get('x-sendbird-signature');
  const hash = crypto.createHmac('sha256', API_TOKEN).update(body).digest('hex');

  req.body = JSON.parse(req.body);  // Convert the body to JSON after creating the hash.
  signature == hash ? res.send(200) : res.send(401);    // Check if the value of 'x-sendbird-signature' matches the hash.
});

app.listen(PORT, () => {
  console.log(`App is listening on port ${PORT}`);
});