0

I am trying to set up a webhook in Xero. I have created an endpoint which Xero hits and send some header and payload. I extract the hash from the header and match with the hash of payload but i never get the same hash. I am using the below code to do that. 

router.post('/weebhook', function(req, res, next) {
  console.log(req.headers)
  console.dir(req.body);
  try {
    var xero_signature = req.headers['x-xero-signature']
    var encoded_data = encodePayload(req.body)
    console.log(xero_signature)
    console.log(encoded_data)
    if (encoded_data == xero_signature) {
      res.status(200).json();
    } else {
      res.status(401).json();
    }
  }catch(eror) {
    console.log(eror)
  }

});

function encodePayload(payload) {
console.log(JSON.stringify(payload))
const secret = 'TbJjeMSPAvJiMiD2WdHbjP20iodKCA3bL5is8vo47/pCcuGCsjtUDb7cBnWo20e0TBwZsQ/lPM41QgypzZE6lQ==';
const hash = crypto.createHmac('sha256',secret,true)
                   .update(JSON.stringify(payload))
                   .digest().toString('base64');
    return hash
}
  • Xero hash - NzQOq6yw6W6TKs1sQ1AJtMWX24uzzkyvh92fMxukreE=
  • my hash - L74zFdcuRsK3zHmzu9K37Y1mAVIAIsDgneAPHaJ+vI4=

Please let me know what is the issue ?

TechChain
  • 8,404
  • 29
  • 103
  • 228

2 Answers2

1

There's a typescript sample application provided by Xero that implements the webhooks signature verification.

Does the code in here help you at all? https://github.com/XeroAPI/XeroWebhooksReceiver-Node/blob/master/src/server/server.ts#L58L59

Also, please delete and recreate your webhook as you've just provided everyone with your secret webhooks key.

MJMortimer
  • 865
  • 5
  • 10
0

Change .update(JSON.stringify(payload)) to .update(payload.toString())

rustyskates
  • 856
  • 4
  • 10