search

crisboarna / fb-messenger-bot-api

NodeJS Facebook Messenger API for bots to send messages and setup events to Facebook.
https://www.npmjs.com/package/fb-messenger-bot-api
MIT License
34 stars 17 forks source link

validateMessageIntegrity method doesn't use the payload body #98

Open toddheslin opened 4 years ago

toddheslin commented 4 years ago

I've noticed that when creating the hash here: https://github.com/crisboarna/fb-messenger-bot-api/blob/5a2c6beec1353dcf32af0e5cf5078bb51609b787/src/validation/ValidateWebhook.ts#L79

You aren't updating with the payload body. Are you using this successfully in production for an older version of the API? The current API version requires using the payload to verify the request:

To validate the payload:

1. Generate a SHA1 signature using the payload and your app's App Secret.
2. Compare your signature to the signature in the X-Hub-Signature header (everything after sha1=). If the signatures match, the payload is genuine.

https://developers.facebook.com/docs/graph-api/webhooks/getting-started#verification-requests

crisboarna commented 4 years ago

You are correct, good catch, using wrong entity for sha creation. Will release a fix for this tomorrow :)

toddheslin commented 4 years ago

I'm not sure if there is a great way of creating the payload buffer in a framework agnostic way. There is the express way: https://github.com/expressjs/body-parser#bodyparserrawoptions

But I use Fastify as a framework so I'd like the option of either just passing in the buffer (not actually supported in Fastify without a few tricks...yet), or perhaps just passing in the body object which could be turned back into a buffer for the check. I doubt this is the most performant way but not sure if it's really a big deal.

Probably the only thing I'd urge against is making any assumptions on the framework. :-)