Closed abaksha-sc closed 3 months ago
UPD: works fine in version 1.1.22
. So seems the regression issue is actual only for 1.1.23
:
Can reproduce the same issue on 1.1.23
but not with 1.1.22
.
Both verify and trigger:
So I suspect the commits in #322 are the fault
What is the problem?
I just taken the code from official example: https://dev.twitch.tv/docs/eventsub/handling-webhook-events/#simple-nodejs-example And only changed the secret to "TestTwitchWebhookSecret".
The result - command "event verify-subscription" successfully passed but "event trigger" fails.
Twitch CLI version : twitch-cli_1.1.23_Windows_x86_64 Operating System: Windows 10 Architecture Version: x64
Steps to reproduce
Trimmed from here: https://dev.twitch.tv/docs/eventsub/handling-webhook-events/#simple-nodejs-example
npm init
npm install express --save
app.js
with the following content (here is only the secret is changed):Click me - code is here
```js const crypto = require('crypto') const express = require('express'); const app = express(); const port = 8080; // Notification request headers const TWITCH_MESSAGE_ID = 'Twitch-Eventsub-Message-Id'.toLowerCase(); const TWITCH_MESSAGE_TIMESTAMP = 'Twitch-Eventsub-Message-Timestamp'.toLowerCase(); const TWITCH_MESSAGE_SIGNATURE = 'Twitch-Eventsub-Message-Signature'.toLowerCase(); const MESSAGE_TYPE = 'Twitch-Eventsub-Message-Type'.toLowerCase(); // Notification message types const MESSAGE_TYPE_VERIFICATION = 'webhook_callback_verification'; const MESSAGE_TYPE_NOTIFICATION = 'notification'; const MESSAGE_TYPE_REVOCATION = 'revocation'; // Prepend this string to the HMAC that's created from the message const HMAC_PREFIX = 'sha256='; app.use(express.raw({ // Need raw message body for signature verification type: 'application/json' })) app.post('/eventsub', (req, res) => { let secret = getSecret(); let message = getHmacMessage(req); let hmac = HMAC_PREFIX + getHmac(secret, message); // Signature to compare if (true === verifyMessage(hmac, req.headers[TWITCH_MESSAGE_SIGNATURE])) { console.log("signatures match"); // Get JSON object from body, so you can process the message. let notification = JSON.parse(req.body); if (MESSAGE_TYPE_NOTIFICATION === req.headers[MESSAGE_TYPE]) { // TODO: Do something with the event's data. console.log(`Event type: ${notification.subscription.type}`); console.log(JSON.stringify(notification.event, null, 4)); res.sendStatus(204); } else if (MESSAGE_TYPE_VERIFICATION === req.headers[MESSAGE_TYPE]) { res.set('Content-Type', 'text/plain').status(200).send(notification.challenge); } else if (MESSAGE_TYPE_REVOCATION === req.headers[MESSAGE_TYPE]) { res.sendStatus(204); console.log(`${notification.subscription.type} notifications revoked!`); console.log(`reason: ${notification.subscription.status}`); console.log(`condition: ${JSON.stringify(notification.subscription.condition, null, 4)}`); } else { res.sendStatus(204); console.log(`Unknown message type: ${req.headers[MESSAGE_TYPE]}`); } } else { console.log('403'); // Signatures didn't match. res.sendStatus(403); } }) app.listen(port, () => { console.log(`Example app listening at http://localhost:${port}`); }) function getSecret() { // !!! THE SECRET CHANGED !!!! return 'TestTwitchWebhookSecret'; // !!! THE SECRET CHANGED !!!! } // Build the message used to get the HMAC. function getHmacMessage(request) { return (request.headers[TWITCH_MESSAGE_ID] + request.headers[TWITCH_MESSAGE_TIMESTAMP] + request.body); } // Get the HMAC. function getHmac(secret, message) { return crypto.createHmac('sha256', secret) .update(message) .digest('hex'); } // Verify whether our hash matches the hash that Twitch passed in the header. function verifyMessage(hmac, verifySignature) { return crypto.timingSafeEqual(Buffer.from(hmac), Buffer.from(verifySignature)); } ```node app.js
twitch event verify-subscription channel.raid -F http://localhost:8080/eventsub -s TestTwitchWebhookSecret
and check that it's successful.twitch event trigger channel.raid -F http://localhost:8080/eventsub -s TestTwitchWebhookSecret
- it failsRelevant log output