developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a question

Node.js Webhook auth works fine with Test Webhook button, but fails on actual transactions

I am having trouble with the authentication of webhook notifications. Please note that all testing is currently taking place in the sandbox environment. We are not live yet with this application, but planning to go into production on Nov. 6th 2020.

 

Below is my node.js function to validate the API call as originating from Authorize.net. This logic works perfectly when I use the "Test Webhook" button in the merchant portal. But it fails every time when webhook notifications are sent automatically by normal operations of our merchant application. Why would it work fine with the bogus transaction sent to my API from the Test Webhook button, but fail on automated notifications, when both are originating from the authorize.net sandbox? Please let me know if anyone sees a flaw in my code.

 

FYI – the entire request object is passed into this function as soon as it is received. I'm using crypto with this statement:

const crypto = require('crypto');

 

Many thanks in advance!

 

/**
 * -----------------------------------------------------------------------------------------
 * Compares x-anet-signature hash sent by authorize.net (x-anet-signature), with computed 
 * hash based on webhook notification body (json payload stringified), using hex signature-key 
 * stored in authnet_connect.js (auth.api_info.signature_key).
 * 
 * Returns true if they match, false if they don't match.
 * If they don't match, this notification will be rejected as not sent by Authorize.net
 */
function authenticate_webhook ( req ) {

    // Get signature sent in request header 
    let req_signature = req.headers['x-anet-signature'];
    req_signature = req_signature.substr(7); // remove 'sha512=' from beginning of hash sent

    // Generate keyed-hash message authentication code based on merchant's signature key
    let hmac = crypto.createHmac('sha512', auth.api_info.signature_key);
    let data = hmac.update(JSON.stringify(req.body));
    let gen_hmac= data.digest('hex').toUpperCase();

    utils.log(`hash sent:\n`, req_signature);
    utils.log(`hash computed:\n`, gen_hmac);

    return (req_signature == gen_hmac);
}
FirmRecJV20
Member

‎10-31-2020 10:03 AM

0 Kudos
5 REPLIES 5

@FirmRecJV20 

 

do you have it in active mode?

Renaissance
All Star

‎11-01-2020 03:09 AM

0 Kudos

Yes, the failure only occurs when it is active and processing automated notifications. My program is capturing and logging the full headers and body from the request, and running the algorithm, and logging the results, and they don't match with live transactions, only on the static transaction sent when using test webhook button in 'inactive' mode. 

 

Looks like I'm not the only one asking about this. This post shows the exact same logic in node.js, getting the same behavior: https://community.developer.authorize.net/t5/Integration-and-Testing/Verify-webhook-payload/m-p/7375...

 

Thanks

FirmRecJV20
Member
In response to Renaissance

‎11-01-2020 08:00 PM - edited ‎11-01-2020 08:01 PM

0 Kudos

Hello, Were you able to find the solution.

faisalsami
Member
In response to FirmRecJV20

‎04-24-2021 12:19 PM

0 Kudos

Hello, did you ever resolve this issue? I am unfortunately at a loss for days with the same problem

three60sb
Member

‎08-18-2022 10:50 AM

0 Kudos

did the webhook authentication worked for anyone please respond 

DivyaArun
Member

‎11-04-2022 01:13 AM

0 Kudos
Copyright © 2024 Khoros, LLC