0

Following some examples online, I am to return a 200 response for a correctly signed payload, and a 401 response for an incorrectly signed, or malformed payload.

The following minimal example has been tested.

The signature is being generated correctly, and the checkHash() function identifies the correctly signed/formed payloads.

The feedback I am getting from the endpoint is Response contained a body. The advice given here is to strip everything from the body of the response -but as far as I can see all I am return is the literal response as an echo i.e. 200 or 401.

$key = 'abcSomeKey';    
$rawPayload = file_get_contents("php://input");
checkHash();

function getSignature() {
    return base64_encode(hash_hmac('sha256', $rawPayload, $key, true));
}

function checkHash() {
    $signature = getSignature();

    if($signature === $_SERVER['HTTP_X_XERO_SIGNATURE']) {
        echo 200;
    }
    else {
        echo 401;
    }
}
pcgben
  • 726
  • 7
  • 24

2 Answers2

2

I don't know php well enough, but there were two errors. The signature validation wasn't working as intended inside the function block. The $rawPayload was an empty string inside the getSignature() function.

Further, I was naively returning the response code which is correctly formatted below.

$key = "someKey";
$rawPayload = file_get_contents("php://input");
$signature = base64_encode(hash_hmac('sha256', $rawPayload, $key, true));
$authKey = $_SERVER['HTTP_X_XERO_SIGNATURE'];

if($signature === $authKey)
{
    http_response_code(200);
}   
else
{
    http_response_code(401);
}
pcgben
  • 726
  • 7
  • 24
0

I had this problem too, with a service.

here was what I found out to be true:

$key = "someKey";
$rawPayload = file_get_contents("php://input");
$signature = base64_encode(hash_hmac('sha256', $rawPayload, $key, true));
$authKey = $_SERVER['HTTP_X_XERO_SIGNATURE'];
if($signature === $authKey)
{
    http_response_code(200);
}   
else
{
    http_response_code(401);
}

Doing this: base64_encode(hash_hmac('sha256', $rawPayload, $key, true)); resulted in a binary code because of the hash_hmac having the true on the end. also the base64 changed the hash_hmac, so I had to do this with mine:

$signature = hash_hmac('sha256', $rawPayload, $key);

That worked for me.

helvete
  • 2,455
  • 13
  • 33
  • 37
Richard
  • 11
  • 2