topic Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions in Integration and Testing

Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

FirmRecJV20 — Sat, 31 Oct 2020 17:03:52 GMT

I am having trouble with the authentication of webhook notifications. Please note that all testing is currently taking place in the sandbox environment. We are not live yet with this application, but planning to go into production on Nov. 6th 2020.

Below is my node.js function to validate the API call as originating from Authorize.net. This logic works perfectly when I use the "Test Webhook" button in the merchant portal. But it fails every time when webhook notifications are sent automatically by normal operations of our merchant application. Why would it work fine with the bogus transaction sent to my API from the Test Webhook button, but fail on automated notifications, when both are originating from the authorize.net sandbox? Please let me know if anyone sees a flaw in my code.

FYI – the entire request object is passed into this function as soon as it is received. I'm using crypto with this statement:

const crypto = require('crypto');

Many thanks in advance!

/**
 * -----------------------------------------------------------------------------------------
 * Compares x-anet-signature hash sent by authorize.net (x-anet-signature), with computed 
 * hash based on webhook notification body (json payload stringified), using hex signature-key 
 * stored in authnet_connect.js (auth.api_info.signature_key).
 * 
 * Returns true if they match, false if they don't match.
 * If they don't match, this notification will be rejected as not sent by Authorize.net
 */
function authenticate_webhook ( req ) {

    // Get signature sent in request header 
    let req_signature = req.headers['x-anet-signature'];
    req_signature = req_signature.substr(7); // remove 'sha512=' from beginning of hash sent

    // Generate keyed-hash message authentication code based on merchant's signature key
    let hmac = crypto.createHmac('sha512', auth.api_info.signature_key);
    let data = hmac.update(JSON.stringify(req.body));
    let gen_hmac= data.digest('hex').toUpperCase();

    utils.log(`hash sent:\n`, req_signature);
    utils.log(`hash computed:\n`, gen_hmac);

    return (req_signature == gen_hmac);
}

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

Renaissance — Sun, 01 Nov 2020 11:09:04 GMT

@FirmRecJV20

do you have it in active mode?

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

FirmRecJV20 — Mon, 02 Nov 2020 04:01:37 GMT

Yes, the failure only occurs when it is active and processing automated notifications. My program is capturing and logging the full headers and body from the request, and running the algorithm, and logging the results, and they don't match with live transactions, only on the static transaction sent when using test webhook button in 'inactive' mode.

Looks like I'm not the only one asking about this. This post shows the exact same logic in node.js, getting the same behavior: https://community.developer.authorize.net/t5/Integration-and-Testing/Verify-webhook-payload/m-p/73758/highlight/true#M45729

Thanks

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

faisalsami — Sat, 24 Apr 2021 19:19:52 GMT

Hello, Were you able to find the solution.

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

three60sb — Thu, 18 Aug 2022 17:50:41 GMT

Hello, did you ever resolve this issue? I am unfortunately at a loss for days with the same problem

Re: Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

DivyaArun — Fri, 04 Nov 2022 08:13:21 GMT

did the webhook authentication worked for anyone please respond