Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.

    • Help and support
    • Upgrade to Enterprise edition
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support

    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

General discussion
  1. OpenProject
  2. Forums
  3. General discussion
  4. How are webhook signatures generated?

How are webhook signatures generated?

Added by Dan6erbond Mohabir over 2 years ago

I am trying to build a receiver for OpenProject webhooks, which will integrate incoming webhooks from OpenProject with Discord and potentially other services in the future, but am running into a wall with the signature.

Looking at the webhook job worker it seems the webhook's signature is generated as an HMAC hash of the request data, but trying to recreate this hash in Go falls flat:

type Wrapper struct {
	Data string `json:"data"`
}

func ReceiveWebhook() {
	var wrapper Wrapper
	wrapperMap := map[string]interface{}{
		"data": string(body),
	}
	wrapperString, _ := json.Marshal(wrapperMap)
	ops.logger.Println(string(wrapperString))
	json.Unmarshal(wrapperString, &wrapper)
	ops.logger.Println(wrapper.Data)

	signature := r.Header["X-Op-Signature"]
	h := hmac.New(sha1.New, []byte(webhook["secret"].(string)))
	h.Write([]byte(wrapper.Data))
	ops.logger.Printf("%x", h.Sum(nil))
	ops.logger.Println(signature)
}

The reason for implementing the signature the way I did, is because it seems Ruby's to_json method generates an escaped JSON string (correct me if I'm wrong - I already tried the raw request body with and without indents) but the signatures never match.


Loading...