Closed fredbaa closed 7 years ago
@fredbaa You need to pass a hash of all the parameters from the Nexmo callback to check_signature, including the sig parameter. Depends on what web framework you're using, but assuming you're using something Rack-based like Sinatra or Rails then request.GET
should do it. The README example is currently a bit confusing because I didn't fully translate from the Python (fixed in 443327a).
@timcraft I'm using Rails and I tried passing on the request.query_parameters
on check_signature
but it still returns false. I'm not sure if the keys sent are correct or if the signature_secret Nexmo gave me is wrong.
Here's my sample parameters, please see if there are any keys not used. (Changed some values here)
{
"msisdn":"911234567891",
"to":"910987654321",
"messageId":"00000BBBB0000AA",
"text":"Test Message",
"type":"text",
"keyword":"TEST",
"message-timestamp":"2016-11-17 05:16:11×tamp=1479359771",
"nonce":"1d2bc5c9-8c0e-49e4-a247-e7953745457e",
"sig":"ed9e5171a0852525058487c93b42ed38"
}
@fredbaa In Rails the #query_parameters method is an alias for the #GET method so that's ok. You can contact support@nexmo.com to check the signature secret on your account. The parameters will vary depending on which callback you're getting. For SMS delivery callbacks I get: msisdn, to, network-code, messageId, price, status, scts, err-code, message-timestamp, timestamp, nonce, and sig.
The message-timestamp in your example looks suspicious. The message-timestamp should be just "2016-11-17 05:16:11"
, and it looks like "1479359771"
should be the value of the timestamp parameter, which is missing from your example.
Have you specified the signature_secret option or NEXMO_SIGNATURE_SECRET environment variable?
@timcraft yes I did specify the signature_secret
when initializing Nexmo client. Also contacted Nexmo support already and they confirmed that my signature_secret is correct.
The timestamp parameter also boggles me because it's appended to the message-timestamp
. Though I tried extracting it and adding timestamp
as separate key, but still to no avail.
By the way, the values I showed you on the previous comment is from an inbound message callback, not the delivery callback. So probably signature is created differently from a delivery callback, and an inbound message callback.
@fredbaa Ok. The signature implementation isn't specific to any kind of callback so if it works for one callback it should work for another, assuming there isn't a bug in the API that only affects some callbacks, which is one possibility. Can you try logging request.query_string
to see if that's formatted correctly or if there is an encoding problem there?
@timcraft
Here's my request.query_string
sample:
msisdn=911234567890&to=919876543210&messageId=0B0000000000A6B1&text=Hi+again&type=text&keyword=HI&message-timestamp=2016-11-17+07%3A04%3A32%C3%97tamp=1479366272&nonce=abd80ac2-6254-46c0-8b5d-517bf5eab18e&sig=26d8d2c6b4257e3ca13c668478a631da
Except for the message-timestamp, encoding of other params seems okay. I tried extracting the message-timestamp to get the tamp
field and add as a separate value in the params. Also noticed that the extra character "%C3%97" which results to a character ×
. I'm not sure if that was included on creating the signature or if the message-timestamp should include it.
@timcraft oh wow. I tried changing the tamp
parameter to timestamp
and it worked perfectly. A bit of a hassle to extract the value on message-timestamp
but it works now. Thanks for the help! Maybe add a note to this on your next README.md
@fredbaa I think that's a bug in the API, not specific to this library. Checking with Nexmo to confirm.
The expected format is:
?msisdn=441632960960&to=441632960961&messageId=000000FFFB0356D1&text=This+is+an+inbound+message&type=text&message-timestamp=2012-08-19+20%3A38%3A23
with an additional nonce
parameter (which we should add to the docs). https://docs.nexmo.com/messaging/sms-api/api-reference#inbound
I've just done a test and I don't see the problem:
msisdn=NUMBER&to=NUMBER&messageId=MESSAGE_ID&text=Hello&type=text&keyword=HELLO&message-timestamp=2016-11-21+14%3A53%3A27×tamp=1479740007&nonce=56d2c52e-dcfa-4c00-9635-c103b227bbe6&sig=SIGNATURE
Is there any chance that something in Rails is tampering with the querystring that results in message-timestamp=2016-11-17+07%3A04%3A32%C3%97tamp=1479366272
?
@leggetter I don't think Rails is tampering with the response because this is the
query string also when I tried searching the message in Nexmo dashboard.
All of the inbound messages sent after the signature check was added gave
the same message-timestamp
value with the tamp value appended on it.
I've seen a few comments about ×
is being converted to ×
by frameworks and runtimes. It looks like that is what's happening here.
×tamp
-> tamp
Okay I see. Then I just have to handle it on the backend when this happens. Thanks for all your help @leggetter @timcraft
On Tue, 22 Nov 2016 at 12:11 AM, Phil Leggetter notifications@github.com wrote:
I've seen a few comments about × is being converted to × by frameworks and runtimes. It looks like that is what's happening here.
×tamp -> tamp
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Nexmo/nexmo-ruby/issues/60#issuecomment-261982995, or mute the thread https://github.com/notifications/unsubscribe-auth/AATBIGm6_eVfI97Zh-t-PHnz7DEd8ScDks5rAcKUgaJpZM4K1I8Y .
@fredbaa I've got inbound message callbacks working ok with Sinatra. Haven't tried with Rails yet, but I can't see anything in the query parsing code which would cause that. Could be something else in your application interfering with it perhaps. What version of Rails are you using?
Where are you seeing the issue in the dashboard exactly?
@timcraft tried it again, seems the problem was on the Nexmo dashboard displaying ×
to ×
. I added logging on the callback url for the actual parameters received, and checked again on my Rails backend and the parameters are actually intact . I'm still working in development for the signature check, and the callback url is already in production so I just use the dashboard in Nexmo to get the query string and test the parameters back on my development environment. Will use my own logs now to get the actual value received, and not in Nexmo dashboard. Sorry for this confusion, I didn't catch it the first time.
This is where i get the value for the query string (http://dashboard.nexmo.com/sms):
@fredbaa Ok, that makes sense. You can use something like localtunnel, ngrok, or pagekite to test the callbacks in development. Which part of the Nexmo dashboard is displaying the parameter incorrectly?
I added a screenshot on the above comment. It's where you search for delivery receipts and inbound messages.
@fredbaa Got it, thanks!
@leggetter The SMS debug log is the source of the problem, I can reproduce the issue with my account. Please can you pass on to the relevant person internally so it can be fixed?
I have a lot of parameters passed by the Nexmo inbound callback, and I'm not sure which parameters are needed for decryption when passing to
check_signature
.