What is expected Content-Type for the body of a POST request from the Account Activity API for webhooks? I do not see documentation on it in the Validating the Signature Header
I am having difficulty with assuming the type is JSON(application/json) for getting my HMAC hashes created and compared properly. I’ve tried Content-Type Text with no luck. I am using Postman to reproduce a POST with X-Twitter-Webhooks-Signature Header and body that I logged from a tweet_create_events I received earlier. Anything in particular I have to do in the way I paste the JSON string of a message event?
@phuson mentions getting the raw string from the body yields different results.
The Node.js crypto module does not include a compare_digest for HMAC like the one found in the python library. Is there anything in specific that needs to be done in node and express to validate the signature header?
Some sort of validate_signature function in the twitterdev/twitter-webhook-boilerplate-node repo would be helpful. @andypiper @joncipriano
Here is a minimal example I made based on the boilerplate repo. Does something need to change in bodyParser for it to work?
require('dotenv').config();
var crypto = require('crypto');
var express = require('express');
var bodyParser = require('body-parser');
var app = express();
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.post('/path/to/twitter/webhook', function(request, response) {
var twitterSignature = request.headers['X-Twitter-Webhooks-Signature'] ||
request.headers['x-twitter-webhooks-signature'];
if(validTwitterSignature(twitterSignature, request.body)){
response.sendStatus('200');
event_processor.process(request.body);
}else{
response.sendStatus('404');
}
})
var validTwitterSignature = function(signature, body){
var generatedSignature = 'sha256='.concat(
crypto.createHmac('sha256', process.env.TWITTER_CONSUMER_SECRET)
.update(JSON.stringify(body),'utf8')
.digest('base64')
);
return signature === generatedSignature;
}
