Reply
Member
Posts: 2
Registered: ‎09-16-2020

Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

I am having trouble with the authentication of webhook notifications. Please note that all testing is currently taking place in the sandbox environment. We are not live yet with this application, but planning to go into production on Nov. 6th 2020.

 

Below is my node.js function to validate the API call as originating from Authorize.net. This logic works perfectly when I use the "Test Webhook" button in the merchant portal. But it fails every time when webhook notifications are sent automatically by normal operations of our merchant application. Why would it work fine with the bogus transaction sent to my API from the Test Webhook button, but fail on automated notifications, when both are originating from the authorize.net sandbox? Please let me know if anyone sees a flaw in my code.

 

FYI – the entire request object is passed into this function as soon as it is received. I'm using crypto with this statement:

const crypto = require('crypto');

 

Many thanks in advance!

 

/**
 * -----------------------------------------------------------------------------------------
 * Compares x-anet-signature hash sent by authorize.net (x-anet-signature), with computed 
 * hash based on webhook notification body (json payload stringified), using hex signature-key 
 * stored in authnet_connect.js (auth.api_info.signature_key).
 * 
 * Returns true if they match, false if they don't match.
 * If they don't match, this notification will be rejected as not sent by Authorize.net
 */
function authenticate_webhook ( req ) {

    // Get signature sent in request header 
    let req_signature = req.headers['x-anet-signature'];
    req_signature = req_signature.substr(7); // remove 'sha512=' from beginning of hash sent

    // Generate keyed-hash message authentication code based on merchant's signature key
    let hmac = crypto.createHmac('sha512', auth.api_info.signature_key);
    let data = hmac.update(JSON.stringify(req.body));
    let gen_hmac= data.digest('hex').toUpperCase();

    utils.log(`hash sent:\n`, req_signature);
    utils.log(`hash computed:\n`, gen_hmac);

    return (req_signature == gen_hmac);
}
All Star
Posts: 733
Registered: ‎11-05-2018

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

@FirmRecJV20 

 

do you have it in active mode?

Member
Posts: 2
Registered: ‎09-16-2020

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

[ Edited ]

Yes, the failure only occurs when it is active and processing automated notifications. My program is capturing and logging the full headers and body from the request, and running the algorithm, and logging the results, and they don't match with live transactions, only on the static transaction sent when using test webhook button in 'inactive' mode. 

 

Looks like I'm not the only one asking about this. This post shows the exact same logic in node.js, getting the same behavior: https://community.developer.authorize.net/t5/Integration-and-Testing/Verify-webhook-payload/m-p/7375...

 

Thanks

Highlighted
Member
Posts: 1
Registered: ‎04-24-2021

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

Hello, Were you able to find the solution.