I'm implementing a webhook callback in my Rails controller and I've attempted to follow the approach used in the rspec test that comes with the gem in order to verify the signature passed from Nexmo (see the 'check_signature method' test):
https://github.com/Nexmo/nexmo-ruby/blob/master/spec/nexmo/client_spec.rb
In my Nexmo API Settings, I added a Signature Secret (generated with Ruby Digest::MD5) to my account. I configured my webproxy with ngrok and on my Nexmo test number, I added the webhook callback generated by ngrok when it started up.
So, I try texting to my Nexmo phone number and Nexmo does push me a POST to my controller method however it does not contain a 'sig' or 'signature' parameter in the payload.
Unfortunately, I've not been able find much in the way of documentation on this specific feature. I may not be generating the Signature Secret correctly in my account on Nexmo. Most similar services actually generate these webhook validation secrets for you... not sure why Nexmo does not.
Anyway, if anyone has any suggestions, I'd really appreciate it.
You will need to email support#nexmo.com with your API key and ask them to turn on webhook signatures.
Related
I'm trying to convert a v2 recaptcha flow to use the enterprise version. What is the equivalent to the server side call to https://www.google.com/recaptcha/api/siteverify?
If I try to send the same or similar POST request to https://recaptchaenterprise.googleapis.com or https://recaptchaenterprise.googleapis.com/<project path>, I get a 404 back.
There does not appear to be a matching v1 or v1beta1 endpoint for siteverify -- at least not that I've found in any of the docs or in the official recaptcha node.js library. What am I missing here?
There is no direct equivalent to the previously recommended verification call in the enterprise version (the call to https://www.google.com/recaptcha/api/siteverify).
If you want to mimic this server side verification flow, you must create a new assessment for the checkbox token and make a judgement based on that score yourself.
Probably you have found a solution by now. But for those still looking
if you configure your request like this you'll get what you want:
https://www.google.com/recaptcha/api/siteverify?secret=${recaptchaSecretKey}&response=${recaptchaToken};
where secret is 'The shared key between your site and reCAPTCHA.'
And response is 'The user response token provided by the reCAPTCHA client-side integration on your site.'.
I am trying to verify a paypal webhook using the headers. I have this code which gets the headers
#PostMapping("paypal")
fun paypalMapping(
#RequestHeader("PAYPAL-TRANSMISSION-SIG") transmissionSig:String,
#RequestHeader("PAYPAL-AUTH-ALGO") authAlgo:String,
#RequestHeader("PAYPAL-CERT-URL") certUrl:String,
#RequestBody paypalOrder: PaypalOrder
){
println("Incoming paypal order!")
println(transmissionSig)
println(authAlgo)
println(certUrl)
}
However I am unsure what I should be comparing these strings to. The only sdk i am using is the checkout one, as the general REST one is deprecated
There are a couple methods, DIY Verification or the Webhook API, documented here: https://developer.paypal.com/docs/api-basics/notifications/webhooks/rest/#verify-event-notifications
Don't use the REST SDKs as they are no longer maintained.
I'm having trouble using the API to send money from one set account into another account via email address for off-chain transactions. There's probably a simple solution to this but I haven't found anything that has worked for me yet despite reading other questions here, basically whenever I make an API request to send money it has an error 401 saying invalid signature.
Following the instructions on the developers page I am making a POST request to the API, and am authenticating the request using an API Key. Everything seems to be working other than the HMAC sha256 signature.
For example let's say that my API key is abc123def456ghi0 and the API secret is 123qwertyuiopasdfghjklzxcvbnm456. Epoch time is 12345678, the method is of course POST, the email I want to send Bitcoin to is me#example.com, the amount is 0.00000015BTC and wallet/account ID is 2bbf394c-193b-5b2a-9155-3b4732659ede.
I make a POST request to https://api.coinbase.com/v2/accounts/2bbf394c-193b-5b2a-9155-3b4732659ede/transactions and set the body to type=send&to=me#example.com&amount=0.00000015¤cy=BTC
This works fine, the issue I'm having is with the sha256 signature in the header. I'm able to set CB-ACCESS-KEY to abc123def456ghi0 and CB-ACCESS-TIMESTAMP to 12345678, and I'm able to create sha256 signatures easily and sign them with my secret key, I just think I'm putting the wrong text in
Now I have some variables:timestamp: 12345678method: POSTrequestPath: /v2/accounts/1dcea380-77e6-5fd4-8a5b-28c41be39a57/transactionsbody: type=send&to=me#example.com&amount=0.00000015¤cy=BTC
On the developers page it says to join the timestamp, method, request path and body in the message. I'm doing this and signing it with my secret key but I still get an error. I'm just a hobbyist so don't have much experience, this is the message I have: 12345678POST/v2/accounts/2bbf394c-193b-5b2a-9155-3b4732659ede/transactionstype=send&to=me#example.com&amount=0.00000015¤cy=BTC and then I sign it with my secret key 123qwertyuiopasdfghjklzxcvbnm456
There must be something simple I'm missing, I know all the variables are being joined properly so maybe I have a / somewhere there isn't supposed to be or maybe I need to switch something around, I just know there's a simple solution to this so if anyone could help it would be greatly appreciated.
Sorry - turns out my HMAC sha256 encoder was also encoding into base64. I have fixed this and now it is working.
Using the Ruby DocuSign API I keep getting a bad request when executing the login code published on the Git readme and only providing the required parameters.
The response I am getting is:
ETHON: Libcurl initialized
ETHON: performed EASY effective_url=https://account-d.docusign.com/oauth/token response_code=400 return_code=ok total_time=0.436539
DocuSign_eSign::ApiError: Bad Request
from /home/dev/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/docusign_esign-1.0.0/lib/docusign_esign/api_client.rb:66:in `call_api'
from /home/dev/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/docusign_esign-1.0.0/lib/docusign_esign/api_client.rb:410:in `configure_jwt_authorization_flow
Any assistance would be greatly appreciated.
I actually had the same issue and I spoke to the person managing the Ruby API SDK:
https://github.com/docusign/docusign-ruby-client
It seems like what happened for me was that the user consent was missing a scope:
https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=CLIENT_ID&redirect_uri=https://docusign.com
Originally I only had signature in my scope, as I was following the example on the documentation page.
Then I changed the user_id from email to the actual key. (It says email or key for the user ID on the admin dashboard but email didn't work for me)
I am currently testing Stripe webhooks using the latest Laravel Spark. I've got a Stripe account working, meaning that I can add (fake) creditcards and charge subscriptions/single payments. Next, I am using a fake hook endpoint (ultrahook.com) to retrieve webhooks requests from Stripe.
My vanilla route file is from the Spark installation:
$router->post('/webhook/stripe', 'Settings\Billing\StripeWebhookController#handleWebhook');
And should handle all the webhooks fine. To test the webhooks, I checked the StripeWebhookController object and changed a method to log some info:
protected function handleInvoicePaymentSucceeded(array $payload)
{
Log::info('This is some useful handleInvoicePaymentSucceeded.');
}
However, nothing gets logged when I call run a Stripe test webhook of type: invoice.payment_succeeded.
I do see the request coming into the ultrahook console and it gets returned a 200. I can also copy paste the JSON Stripe test webhook and paste it into Postman after which it gets send to http://localhost:80/webhook/stripe ... again a 200 response but nothing logged.
Any advice?
Laravel Cashier instructs you to exclude the webhook routes from VerifyCsrfToken middleware as stated here:
https://laravel.com/docs/5.5/billing#handling-stripe-webhooks
Spark uses Cashier, I'd imagine you need to do the same then.
Well, it appears that I needed to add
CASHIER_ENV=testing
in the env file. Nice to see that in the documentation Laravel... not
stripe webhooks don't call localhost, it should have a domain name to call.
you may use ultrahook gem for that..
it will create a temporary binding url which you can provide in stripe dashboard as callback url
like this
ultrahook stripe 80
which would give you an url that you map it in stripe dashboard
http://stripe.somename.ultrahook.com -> http://localhost:80
NOTE: You can access this url on a browser, it is just a virtual binding