On Wednesday, February 28, 2018 at 3:50:16 PM UTC-8, Anthony wrote: > > I think you're on the right track. If you need the original request body > to verify the signature, request.body.read() should do it. Does that not > work? > > Also, I don't think you need the decorator and nested function. Just write > a simple function and call it at the beginning of the handler: > > def verify_signature(): > secret = '<here is my secret key>' > body = request.body.read() > dig = hmac.new(secret.encode(), msg=body.encode(), digestmod=hashlib. > sha256).digest() > if request.env.http_x_wc_webhook_signature != base64.b64encode(dig). > decode(): > raise HTTP(403) > > @service.json > def listenToHooks(): > verify_signature() > # do stuff > > Anthony > >
Don't you want a dummy parameter on verify_signature(), to prevent it being a URL-visible function? Like def verify_signature(isinternal=True): /dps On Wednesday, February 28, 2018 at 4:41:01 PM UTC-5, Manuele wrote: >> >> Il 28/02/18 17:10, Anthony ha scritto: >> >> You could parse the request body yourself, but web2py will do it >> automatically and put the variables in request.post_vars (if JSON is >> posted, its keys will become the keys of request.post_vars). >> >> I'm not sure what you mean by "check the request.post_vars". If there are >> variables you are expecting in the posted body, they will be in >> request.post_vars. Looking at the example log here >> <https://docs.woocommerce.com/document/webhooks/>, it looks like you >> might expect request.post_vars.action and request.post_vars.arg. The >> "action" value will also be in one of the request headers. Not sure if you >> need or care about "arg". >> >> A little step backward... I want to verify the call origin and >> authenticity. >> >> Each time a call is performed by a webhook it is signed with a signature >> in the header obtained by encoding the body and I want to verify this >> signature in order to be sure from where the call comes from. I've found >> something similar for other languages and environments but not for python >> and web2py, for example this one >> https://stackoverflow.com/q/42182387/1039510. The concept is quite easy >> but there are some details I miss. >> >> Hereunder I tryied to rewrite the example code[*] in a more clear way (I >> hope). >> >> Does anybody tryied it before or somebody with some woocommerce webhook >> experience can point me to what's wrong in it? >> >> >> def compute(body): >> secret = '<here is my secret key>' >> dig = hmac.new(secret.encode(), >> msg = body.encode(), >> digestmod = hashlib.sha256 >> ).digest() >> computed = base64.b64encode(dig).decode() >> return computed >> >> def hookCheck(func): >> def wrapper(*args, **kw): >> signature = request.env.http_x_wc_webhook_signature >> body = request.body.read() # ?? >> computed = compute(body) >> if signature==computed: >> return func(*args, **kw) >> raise HTTP(403) >> return wrapper >> >> @service.json >> def listenToHooks(): >> @hookCheck >> def _main_(): >> # do stuff >> return {} >> return _main_() >> >> >> Best regards >> >> Manuele >> >> >> [*] https://gist.github.com/manuelep/4b64492ceeaa07f095302f94956ea554 >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
