search

intercom / intercom-rails

The easiest way to install Intercom in a Rails app.
https://developers.intercom.io/reference
MIT License
280 stars 106 forks source link

Secure Mode not producing correct user_hash, 403 error #221

Closed aguynamedben closed 8 years ago

aguynamedben commented 8 years ago

Version info

# intercom.rb
IntercomRails.config do |config|
  config.app_id = ENV["INTERCOM_APP_ID"]
  config.api_secret = ENV["INTERCOM_API_SECRET"]
end
# application_controller.rb
skip_after_action :intercom_rails_auto_include
<%# In <head> tag %>
<%= intercom_script_tag({
  app_id: ENV["INTERCOM_APP_ID"],
  user_id: current_user.id,
}, {
  secret: ENV["INTERCOM_API_SECRET"]
}) %>

I expect Intercom to register the call.

Actual behavior

403 error from Intercom: {error_message: "incorrect user_hash"}

I can see when I look at the page source that user_hash is calculated and set to something, but I'm getting a 403 because the value isn't correct.

Are there any more docs on Secure Mode? All I can find is https://docs.intercom.io/configure-intercom-for-your-product-or-site/staying-secure/enable-secure-mode-on-your-web-product, and the link to https://gist.github.com/thewheat/7342c76ade46e7322c3e isn't sufficient because it doesn't say how to configure the user_hash with the gem. It looks like I shouldn't have to worry about setting user_hash if I'm using this gem because it's supposed to correctly set user_hash for me.

Thanks for your help.

aguynamedben commented 8 years ago

I noticed the user_hash is present on the source code of the page, in the JS variable window.intercomSettings:

window.intercomSettings = {"email":"<email>","name":"<name>","created_at":1395681256,"user_id":1234,"user_hash":"user_hash_value","app_id":"my_app_id"};

If I re-calculate what the user_hash should be based on your documents (using the Ruby method), like this:

OpenSSL::HMAC.hexdigest('sha256', "my_secret", 1234.to_s)
"user_hash_value"

The user_hash_value produced by my IRB shell doesn't match the user_hash_value present in the JavaScript this gem outputs.

aguynamedben commented 8 years ago

Nevermind, problem on my side, sorry!

askehansen commented 8 years ago

@aguynamedben im having the same problem, what did you do to fix it?

kant01ne commented 8 years ago

api_secret and secure_mode_secret are different. You shouldn't try to use api_secret to encrypt the user_hash Make sure you use the right one to encrypt your user_hash

aguynamedben commented 8 years ago

My problem was me misunderstanding my dev environment (I use the dotenv gem and had incorrectly setup the env variable in .env and .env.development)