Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Validate TypeForm Webhook payload in Node

Tags:

javascript

webhooks

typeform

I set up a Typeform webhook and it's working well.

Now I'm trying to secure it, but I'm stuck in the Validate payload from Typeform section.

I adapted the outlined steps and the Ruby example (and a PHP example that Typeform Helpcenter sent me) to Node (Meteor):

const crypto = require('crypto');

function post() {
  const payload = this.bodyParams;
  const stringifiedPayload = JSON.stringify(payload);

  const secret = 'the-random-string';

  const receivedSignature = lodash.get(request, 'headers.typeform-signature', '');

  const hash = crypto
    .createHmac('sha256', secret)
    .update(stringifiedPayload, 'binary')
    .digest('base64');
  const actualSignature = `sha256=${hash}`;

  console.log('actualSignature:', actualSignature);
  console.log('receivedSignature:', receivedSignature);

  if (actualSignature !== receivedSignature) {
    return { statusCode: 200 };
  }

  // .. continue ..
});

But the actualSignature and receivedSignature never match, I get results like:

actualSignature: sha256=4xe1AF0apjIgJNf1jSBG+OFwLYZsKoyFBOzRCesXM0g=
receivedSignature: sha256=b+ZdBUL5KcMAjITxkpzIFibOL1eEtvN84JhF2+schPo=

Why could this be?

like image 530
Bart S Avatar asked Jan 21 '26 03:01

Bart S

1 Answers

You need to use the raw binary request, it is specified in the docs here

Using the HMAC SHA-256 algorithm, create a hash (using created_token as a key) of the entire received payload as binary.

Here is an example using express and the body-parser middleware

const crypto = require('crypto');
const express = require("express");
const bodyParser = require('body-parser');

const TYPEFORM_SECRET = 'your-secret';

const app = express();
const port = 3000;

app.use(bodyParser.raw({ type: 'application/json' }));

app.post(`/webhook`, (req, res) => {
  const expectedSig = req.header('Typeform-Signature');

  const hash = crypto.createHmac('sha256', TYPEFORM_SECRET)
    .update(req.body)
    .digest('base64');

  const actualSig = `sha256=${hash}`;

  if (actualSig !== expectedSig) {
    // invalid request
    res.status(403).send();
    return;
  }

  // successful

  res.status(200).send();
});

app.listen(port, () => {
  console.log(`listening on port ${port}!`);
});
like image 81
JordanW Avatar answered Jan 22 '26 18:01

JordanW

Sign in to Comment

Related questions

How do I change the browser width/height in jQuery?
How to stop onChange in JavaScript
ASP.Net PostbackURL doesn't work if I put in Javascript Validation
how to detect touch hover with Javascript?
Javascript global error handling via AJAX/PHP: limit logs to my own script
BrainTree.js with AngularJS and customVariables
Jquery Addclass/Removeclass in specific order based on id attribute
jQuery UI Datepicker getDate returns today's date on invalid date
Drag and Drop Images into Canvas
Javascript keydown timing
SCEditor: Submit form with Shortcut Ctrl+Enter - How to get instance's parent?
How to get canvas from postcompose event of map in openlayers 6
Alternative option of for and findIndex Loop?
Cannot use variables to change css property
How to make this multi-slide panel loop indefinitely
Subscribe to all observables sequentially, and then emit values as array once all have completed
Are functions on navigator.serial and SerialPort in Serial API unimplemented?
Where is the controller in Angular 7 as it follows mvc architecture
How can i make a POST request in my local network when the origin is http and the target url is https?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!