I think you're on the right track. If you need the original request body to
verify the signature, request.body.read() should do it. Does that not work?
Also, I don't think you need the decorator and nested function. Just write
a simple function and call it at the beginning of the handler:
def verify_signature():
secret = '<here is my secret key>'
body = request.body.read()
dig = hmac.new(secret.encode(), msg=body.encode(), digestmod=hashlib.
sha256).digest()
if request.env.http_x_wc_webhook_signature != base64.b64encode(dig).
decode():
raise HTTP(403)
@service.json
def listenToHooks():
verify_signature()
# do stuff
Anthony
On Wednesday, February 28, 2018 at 4:41:01 PM UTC-5, Manuele wrote:
>
> Il 28/02/18 17:10, Anthony ha scritto:
>
> You could parse the request body yourself, but web2py will do it
> automatically and put the variables in request.post_vars (if JSON is
> posted, its keys will become the keys of request.post_vars).
>
> I'm not sure what you mean by "check the request.post_vars". If there are
> variables you are expecting in the posted body, they will be in
> request.post_vars. Looking at the example log here
> <https://docs.woocommerce.com/document/webhooks/>, it looks like you
> might expect request.post_vars.action and request.post_vars.arg. The
> "action" value will also be in one of the request headers. Not sure if you
> need or care about "arg".
>
> A little step backward... I want to verify the call origin and
> authenticity.
>
> Each time a call is performed by a webhook it is signed with a signature
> in the header obtained by encoding the body and I want to verify this
> signature in order to be sure from where the call comes from. I've found
> something similar for other languages and environments but not for python
> and web2py, for example this one
> https://stackoverflow.com/q/42182387/1039510. The concept is quite easy
> but there are some details I miss.
>
> Hereunder I tryied to rewrite the example code[*] in a more clear way (I
> hope).
>
> Does anybody tryied it before or somebody with some woocommerce webhook
> experience can point me to what's wrong in it?
>
>
> def compute(body):
> secret = '<here is my secret key>'
> dig = hmac.new(secret.encode(),
> msg = body.encode(),
> digestmod = hashlib.sha256
> ).digest()
> computed = base64.b64encode(dig).decode()
> return computed
>
> def hookCheck(func):
> def wrapper(*args, **kw):
> signature = request.env.http_x_wc_webhook_signature
> body = request.body.read() # ??
> computed = compute(body)
> if signature==computed:
> return func(*args, **kw)
> raise HTTP(403)
> return wrapper
>
> @service.json
> def listenToHooks():
> @hookCheck
> def _main_():
> # do stuff
> return {}
> return _main_()
>
>
> Best regards
>
> Manuele
>
>
> [*] https://gist.github.com/manuelep/4b64492ceeaa07f095302f94956ea554
>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
