I’ve been attempting to implement a webhook server integration.
I’m able to setup the webhook fine, but I am unable to authenticate with the
If you specify a secret, an integrity check is calculated and located in the
X-Men-Signature-Payloadheader, which contains the HMAC-SHA256 of the payload using the configured secret.
First, it seems there is no
X-Men-Signature-Payload header, but I’ve assumed this to be the
X-Men-Signature header that is associated with the request.
Now for my issue, I setup a test webhook integration with a simple hex string secret, say
abcd. On my server, I sign the payload with hmac-256 using the
abcd secret as the key.
In a flask server (python 3.10) this looks like:
signature = request.headers["X-Men-Signature"] secret = get_mender_webhook_secret() payload = request.get_data() message_hmac = hmac.new(secret.encode(), msg=payload, digestmod=hashlib.sha256) valid = hmac.compare_digest(message_hmac.hexdigest(), signature.encode())
However, the hmac hexdigest does not match the signature from the request headers.
What am I doing wrong?