I am having trouble with the authentication of webhook notifications. Please note that all testing is currently taking place in the sandbox environment. We are not live yet with this application, but planning to go into production on Nov. 6th 2020.
Below is my node.js function to validate the API call as originating from Authorize.net. This logic works perfectly when I use the "Test Webhook" button in the merchant portal. But it fails every time when webhook notifications are sent automatically by normal operations of our merchant application. Why would it work fine with the bogus transaction sent to my API from the Test Webhook button, but fail on automated notifications, when both are originating from the authorize.net sandbox? Please let me know if anyone sees a flaw in my code.
FYI – the entire request object is passed into this function as soon as it is received. I'm using crypto with this statement:
const crypto = require('crypto');
Many thanks in advance!
/** * ----------------------------------------------------------------------------------------- * Compares x-anet-signature hash sent by authorize.net (x-anet-signature), with computed * hash based on webhook notification body (json payload stringified), using hex signature-key * stored in authnet_connect.js (auth.api_info.signature_key). * * Returns true if they match, false if they don't match. * If they don't match, this notification will be rejected as not sent by Authorize.net */ function authenticate_webhook ( req ) { // Get signature sent in request header let req_signature = req.headers['x-anet-signature']; req_signature = req_signature.substr(7); // remove 'sha512=' from beginning of hash sent // Generate keyed-hash message authentication code based on merchant's signature key let hmac = crypto.createHmac('sha512', auth.api_info.signature_key); let data = hmac.update(JSON.stringify(req.body)); let gen_hmac= data.digest('hex').toUpperCase(); utils.log(`hash sent:\n`, req_signature); utils.log(`hash computed:\n`, gen_hmac); return (req_signature == gen_hmac); }
10-31-2020 10:03 AM
11-01-2020 03:09 AM
Yes, the failure only occurs when it is active and processing automated notifications. My program is capturing and logging the full headers and body from the request, and running the algorithm, and logging the results, and they don't match with live transactions, only on the static transaction sent when using test webhook button in 'inactive' mode.
Looks like I'm not the only one asking about this. This post shows the exact same logic in node.js, getting the same behavior: https://community.developer.authorize.net/t5/Integration-and-Testing/Verify-webhook-payload/m-p/7375...
Thanks
11-01-2020 08:00 PM - edited 11-01-2020 08:01 PM
Hello, Were you able to find the solution.
04-24-2021 12:19 PM
Hello, did you ever resolve this issue? I am unfortunately at a loss for days with the same problem
08-18-2022 10:50 AM
did the webhook authentication worked for anyone please respond
11-04-2022 01:13 AM