Validating X-Twitter-Webhooks-Signature on Webhook


#1

Hello,

I have my CRC token check working for a while now, but wanted to add an additional security layer to ensure that the data is coming from Twitter. I am using the below code to validate the X-Twitter-Webhooks-Signature vs. what I think it should be, but it is not producing the same output:

    auth_header = request.headers.get('X-Twitter-Webhooks-Signature')
    logging.info("twitter auth header: {}".format(auth_header))
    request_data = request.get_data()
    validation = hmac.new(
        key=bytes(key, 'utf-8'),
        msg=bytes(str(request_data), 'utf-8'),
        digestmod=hashlib.sha256
    )

    digested = base64.b64encode(validation.digest())
    compare_auth = 'sha256=' + format(str(digested)[2:-1])
    logging.info("created auth header: {}".format(compare_auth))
    logging.info("twitter request data: {}".format(request_data))

This produces 2 different keys - example below:

INFO:root:twitter auth header: sha256=DEObjWEzsYqAt5cDPunc9nkzEZ3hYr61iY6K4mj8HEI=
INFO:root:created auth header: sha256=8dh0GOQVGigXJ59l1VhMMdmsUm+cL5+LySGriCe5zWQ=

Am I using the wrong data to produce the hash? Has anyone run into this issue before? I’m surprised I haven’t found more information on this. The only documentation is an optional note on the securing webhook page:

Optional signature header validation
With each incoming POST request from Twitter, a hash signature will be passed in the headers as x-twitter-webhooks-signature. This signature can be used to validate the source of the data is Twitter. The hash signature starts with sha256=indicating the use of HMAC SHA-256 to encrypt your Twitter app Consumer Secret and payload.

Steps to validate a request

Create a hash using your consumer secret and incoming payload body.
Compare created hash with the base64 encoded x-twitter-webhooks-signature value. Use a method like compare_digest to reduce the vulnerability to timing attacks.


closed #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.