Posted: 25 Mar 2019 22:12 EDT Last activity: 27 Mar 2019 9:22 EDT
HMAC-SHA1 signature matching
I have a Service-REST rule that accepts webhook requests coming from WebexTeams. I have a case type in which the first stage it validates the webhook by making sure the actor (person who triggered the webhook) is someone other than my bot and that the secret I supplied to the webhook matches the x-spark-signature header coming in with the request (this header value is an hmac-sha1 hash of the request body using a secret I supplied when I initially created the webhook). More details on this can be found on the WebexTeams webhook guide here: https://developer.webex.com/docs/api/guides/webhooks/disabled-webhooks (scroll up one section from the bottom where it says “Authenticating Requests”).
In order to match HMAC-SHA1 signature, we need to capture the entirety of that request body that is currently being mapped to a property tree, act on it, and compare values of the incoming x-spark-signature header. Service REST rule is pictured in figure A, and a breakdown of the subsequent property tree is in figure B.
We currently have an activity in which I want to generate the HMAC-SHA1 signature of the request content myself and then match that generated signature with the value in the x-spark-signature header in the request. If they match then it is validated and if not then I will ignore the webhook request. We have two potential ways of generating the actual sha1, but both require capturing the entire request body as a string before encoding and we cannot seem to figure out how to 'stringify' an entire property tree/data page and set it to a property.
So far we tried the getJSON() java function to set the properties of a page into a stringified JSON value, although it is also adding in the pxObjClass property. We tried “property-remove” method but we get an error saying that property is reserved. We can continue by doing a string modification of the resulting json string to remove it, but that is getting to be a bit too much manipulation and I’m worried the resulting hmac signature code won’t be exact. The signature depends not only on the exact json field key/values matching but also the exact whitespace as well.
For now this is being processed in a Python proxy server, but we would prefer to do this within Pega.
Alternately, if there are simpler ways to handle HMAC-SHA1 matching that don't require this much manual activity work, I'm sure we'd be very open to that as well.