Documentation missing/unclear

[iiAku]

Context

Hello,

I'm reaching here because this is not a bug, but i'd like some help to achieve webhook signature validation. Basically I've reached your support and it's seems this is a technical issue so it might be better this is handle here directly as the back and forth takes time and i'd like to fix this as soon as possible.

Initially I've reached your support because I noticed this was no longer accurate: https://developer.vonage.com/en/getting-started/concepts/signing-messages#validate-the-signature-on-incoming-messages That example neither: https://github.com/Vonage/vonage-node-code-snippets/blob/a90328e2cc545e319556816f60e4bece90b2a580/sms/verify-signed-sms-express.js#L23

Since the Vonage.generateSign was not available I dug a little bit within the library and I've find the auth package where I found that method: createSignatureHash.

So I did something like that:

    const { sig, ...params } = Object.assign(query, body);

    const a = new Auth({
      apiKey: process.env.VONAGE_API_KEY,
      apiSecret: process.env.VONAGE_API_SECRET,
      signature: {
        algorithm: AlgorithmTypes.sha512hmac,
        secret: process.env.VONAGE_WEBHOOK_SECRET,
      },
    });

    console.log({
      mySigParams: await a.createSignatureHash(params),
      sigReceived: body.sig,
    });

The problem is that I don't know exactly how thing are being done at the moment, I don't know if the params I passing are the correct one.

For instance do I have to strip the sig for the hash computation or no? Is it a completly different object ?

I tried with both with and without sig and each time the sig was not matching the one I was receiving through the body.

Is someone can let me know about the params I should sent to the function in order to properly compute the hash.

Thanks in advance.

Your Environment

• SDK Version: "@vonage/auth": "^1.1.1", "@vonage/server-sdk": "^3.1.1", "@vonage/sms": "^1.1.1",
• Node Version: (e.g. Node 10.18): v18.14.2
• Operating System and version: Linux Solus OS

[iiAku]

My other concern is that createHash function relies on a timestamp: https://github.com/Vonage/vonage-node-sdk/blob/08889b09e2a33d895e205d4845310451c160e4af/packages/auth/lib/auth.ts#L59

Wich means even if I have proper params it won't work has the sig (hash based) generated and put within the header won't be generated at the same time as the one I'm calculated on my side to see if it match.

What are your recommendation on that ?

Thanks in advance

[manchuck]

@iiAku Thanks for finding this. I have created #801, which now allows the createSignatureHash to no longer set the timestamp. You should then be able to use that to verify the signature coming in. I will also work with the documentation team to get the docs updated

[iiAku]

Thanks for looking into this. I had a hard time to understand the link with the PR you mentioned, I believe you linked the wrong one the proper one seems to be #810.

I have seen that statement: auth.ts L77 That auto set the timestamp args if not exist or take the one the return argument has if exist.

Now that the the timestamp + sig is available within the body payload from the hook. I understand you guys will work on the documentation but I'm still unable to verify the sig. That's definitely something I need in production to know If I'm going all in with vonage or not (it's hard to go into production if I'm unable to validate the source of the hook).

Here is the redacted payload I'm getting:

{
     "msisdn": "",
     "to": "",
     "network-code": "",
     "messageId": "",
     "price": "0.06280000",
     "status": "",
     "scts": "",
     "err-code": "1",
     "api-key": "",
     "message-timestamp": "2023-03-26 14:52:26",
     "timestamp": "1679842346",
     "nonce": "02a7adee-5c47-4610-8a14-fdca54712e50",
     "sig": "8A364CBF001978777CFFF10FA7189CBA829CA4DE4C16A72F8C0BA08D09D20A462E1D6ACB97906689E66BE4C33F33D8B5089D2BC58861ADD8A9B31060A98984EB"
   }

I know what you pushed is the server side so I presume what we get at the moment is the updated version. Concerning the lib is not yet up to date, so basically I did the createHmac thing myself and try to stick with the generateSignature function and it does not work. It does not work because I am unable to know what the request was the time it was computed server side by vonage. What are actually the values being pass as param to get the proper sig ?

Anyone can help on that? Thanks in advance.

[manchuck]

@iiAku We have created a ticket to add a function to verify the webhook signature. I will keep you posted on its progress.

In the mean time you can follow the steps here to verify the signature

[manchuck]

@iiAku are you still having an issue signing your request?

[JeremieDemarchez]

Hello,

I'm struggling on the same issue for validating the webhook signature since a while. There is a support ticket open about this : 2274552 The support confirmed the problem, and said that the fix should arrive in @vonage/server-sdk@3.9.1 and @vonage/sms@1.8.0, but I still have the error "Property 'generateSignature' does not exist on type 'typeof Vonage'.ts(2339)".

Should we use another method to validate webhook signature using the SDK ? If yes, could you please indicate the documentation that describe the process ?

I also tried the manual validation, and either it doesn't work, or my code is wrong. An example of a function for manual validation would be welcomed if SDK could not be used.

Thank you. Regards

[manchuck]

@JeremieDemarchez can you please send over a code snippet demonstrating the issue?

[manchuck]

@JeremieDemarchez and @iiAku this has been resolved in #861 and #860 and released in version 3.9.1 of the SDK