【发布时间】:2017-12-07 04:46:37
【问题描述】:
我正在向我的 Messenger 应用程序添加 X-Hub 验证。我是在这里了解到的:https://developers.facebook.com/docs/messenger-platform/webhook-reference
我已成功通过验证来处理简单的短信,但是当我发送位置而不是短信时,验证失败,因为我生成的哈希值与 Facebook 在标题中给我的哈希值不匹配。这是我的验证码:
module.exports.requestIsValid = function(event) {
if (event['headers']['X-Hub-Signature']) {
var sha = event['headers']['X-Hub-Signature']
var body = JSON.stringify(event.body);
return sha == `sha1=${crypto.createHmac('sha1', config.APP_SECRET).update(body).digest('hex')}`;
}
return false; // this return is never called, I know that the first return is the one returning false when it should be true
}
以下是常规文本消息负载的示例:
{"body":{"object":"page","entry":[{"id":"1366222643461024","time":1499114399253,"messaging":[{"sender":{"id ":"1582085681843981"},"recipient":{"id":"1366222643461024"},"timestamp":1499114399084,"message":{"mid":"mid.$cAASAZhi0_wRjO3OtbFdCi5lV2qe4","seq":52192," text":"Test"}}]}]},"method":"POST","principalId":"offlineContext_authorizer_principalId","headers":{"X-Real-Ip":"173.252.88.182","X -Forwarded-For":"173.252.88.182","Host":"test.localtunnel.me","X-Forwarded-Proto":"https","X-Nginx-Proxy":"true","Connection ":"close","Content-Length":"270","Accept":"/","Accept-Encoding":"deflate, gzip","Content-Type":" application/json","X-Hub-Signature":"sha1=0f51d788fe5f1111846097ad016728cdcd06029f"},"query":{},"path":{},"identity":{"accountId":"offlineContext_accountId","apiKey" :"offlineContext_apiKey","caller":"offlineContext_caller","cognitoAuthenticationProvider":"offlineContext_cognitoAuthenticationProvider","cognitoAuthenticationType":"offlineContext_cognitoAuthenticationType","sou rceIp":"127.0.0.1","user":"offlineContext_user","userAgent":"","userArn":"offlineContext_userArn"},"stageVariables":{},"isOffline":true}
下面是一个带有位置的有效负载示例:
{"body":{"object":"page","entry":[{"id":"1366222643461024","time":1499114451619,"messaging":[{"sender":{"id ":"1582085681843981"},"recipient":{"id":"1366222643461024"},"timestamp":1499114451469,"message":{"mid":"mid.$cAASAZhi0_wRjO3R6DVdCi8v9yqk0","seq":52196," attachments":[{"title":"Brandon 的位置","url":"https://l.facebook.com/l.php?u=https%3A%2F%2Fwww.bing.com%2Fmaps%2Fdefault.aspx%3Fv%3D2%26pc%3DFACEBK%26mid%3D8100%26where1%3D35.142236316764%252C%2B-106.53531087607%26FORM%3DFBKPL1%26mkt%3Den-US&h=ATOu8uYrLDiFl6wG8RVfhXvwkMl7uB_l2MHqB_uKLhk8qC9p1ua0EOLpGkznVX7Y8YfxSXP7vDuAR7swPmDCw1esH2bwKhNNsZKxVPC2ViC2AFMO_g&s=1&enc=AZMYxff8btvCZWHtzUR4oFL7K2Mg6nXM_O_tRXXL-L8z508UAOauiSRztoRvWdlGCWU1dNRdNK1ls2CGulM8lvzR","type":"location","payload":{"coordinates":{"lat":35.142236316764,"long ":-106.53531087607}}}]}}]}]},"method":"POST","principalId":"offlineContext_authorizer_principalId』,"headers":{"X-Real-Ip":"173.252.90.239", "X-Forwarded-For":"173.252.90.239","Host":"test.localtunnel.me","X-Forwarded-Proto":"https","X-Nginx-Proxy":"true", "Connection":"close","Content-Length":"911","Accept":"/","Accept-Encoding":"deflate, gzip","Content-Type" :"application/json","X-Hub-Signature":"sha1=34f23436b2744b9b0cc8776922e7386c454786db"},"query":{},"path":{},"identity":{"accountId":"offlineContext_accountId"," apiKey":"offlineContext_apiKey","caller":"offlineContext_caller","cognitoA uthenticationProvider":"offlineContext_cognitoAuthenticationProvider","cognitoAuthenticationType":"offlineContext_cognitoAuthenticationType","sourceIp":"127.0.0.1","user":"offlineContext_user","userAgent":"","userArn":"offlineContext_userArn"}," stageVariables":{},"isOffline":true}
如果需要,很乐意提供额外信息。
更新: 经过进一步检查,似乎只有在有效负载中存在“附件”字段时,验证才会失败。因此,如果我发送图片或 gif 或类似的东西时也会失败。
【问题讨论】:
-
您不应该自己对数据进行字符串化(即使是最微小的差异也会使哈希无效),而应该从您的应用程序首先收到的原始帖子正文创建哈希。
-
@CBroe 当我省略 stringify 时,我收到此错误 - TypeError: Data must be a string or a buffer。看起来它来自我正在使用的加密节点模块
标签: facebook security postback sha facebook-messenger