How to add Hubspot signature to the header

yadewale · ‎Sep 18, 2019

Hi,

I'm trying to add X-HubSpot-Signature-Version to the request header and was wondering how to go about it.

Regards

Yemi

yadewale · ‎Sep 27, 2019

@IsaacTakushi, actually that is c# and not Java and I missed the last letter in hashedobj in my reply.

I was able to fix this by using the actual request body and not a mapped object (webhookDTO). The difference was, my mapped object had more properties, which resulted in a different hash during the hash compute. See code snippet below to get the request body:

var bodyStream = new StreamReader(HttpContext.Current.Request.InputStream);
                bodyStream.BaseStream.Seek(0, SeekOrigin.Begin);
                var bodyText = bodyStream.ReadToEnd();

I've been able to match the hash in the header and the computed hash and everything work as expected. Thank you for your time!

View solution in original post

IsaacTakushi · ‎Sep 19, 2019

Hi, @yadewale.

I'm not sure I follow. HubSpot adds the X-HubSpot-Signature-Version header to outgoing requests automatically, per this document. You shouldn't have to add this header yourself, as requests made to the HubSpot API won't do anything with it.

Please let me know if I am misunderstanding you.

Isaac Takushi

Associate Certification Manager

yadewale · ‎Sep 23, 2019

Hi Issac,

Thanks for the clarification, do you know why I could be getting the error below when I send a sample payload to the URL I created?

{
"errorType": "CONNECTION_REFUSED"
}

IsaacTakushi · ‎Sep 23, 2019

Hi, @yadewale.

I don't think I have enough information to say quite yet.

Can you share the request URL (with any authenticating information removed) and a sample payload?

Isaac Takushi

Associate Certification Manager

yadewale · ‎Sep 25, 2019

Hey Issac,

Please see below as requested:

URL => www.staging.api.wwmach.com/api/hubspot/webhook

Payload =>
"subscriptionId": 161893,
"portalId": 6318640,
"occurredAt": 1569445676959,
"subscriptionType": "company.creation",
"attemptNumber": 0,
"objectId": 123,
"changeSource": "CRM"

IsaacTakushi · ‎Sep 26, 2019

Hi, @yadewale.

Ah, I see — you're referring to testing the Webhooks API.

I'm not seeing https://www.staging.api.wwmach.com/api/hubspot/webhook resolve to an IP address (see this tool, for example), which probably explains why we're throwing the error.

Can you ensure that it resolves and has a valid SSL cert?

Isaac Takushi

Associate Certification Manager

yadewale · ‎Sep 26, 2019

Hi Issac,

My apologies, the URL is without www because its a subdomain https://staging.api.wwmach.com/api/hubspot/webhook/ and this resolves to an IP address.

I see the sample payload is an array of objects will this always be the case even for a single event such as creating a new Company?

[
{
"eventId": 1,
"subscriptionId": 161893,
"portalId": 6318640,
"occurredAt": 1569511593292,
"subscriptionType": "company.creation",
"attemptNumber": 0,
"objectId": 123,
"changeSource": "CRM",
"changeFlag": "NEW"
}
]

yadewale · ‎Sep 26, 2019

@IsaacTakushi, I was able to get it to work!

I had to complete the OAuth workflow process to connect the App to my Account. For the most part, everything works except trying to match the hash.

For some reason, the hash being computed does not match the hash in the request header. Please see the method below.

string clientSecret = ConfigurationManager.AppSettings["HubspotKey"];
                string obj = JsonConvert.SerializeObject(webhookDTO);

                string concat = string.Concat(clientSecret, obj);
                string hashedobj = WebhookManager.ComputeHash(concat);
if(Request.Headers.GetValues("X-HubSpot-Signature").First() != null && Request.Headers.GetValues("X-HubSpot-Signature").First() == hashedob){
              //Logic goes here
}

public static class WebhookManager
    {
        public static string ComputeHash(string value)
        {
            var hash = SHA256.Create();

            byte[] bytes = hash.ComputeHash(Encoding.UTF8.GetBytes(value));
            return HexStringFromBytes(bytes);
        }

        private static string HexStringFromBytes(byte[] bytes)
        {
            var sb = new StringBuilder();
            foreach (byte b in bytes)
            {
                var hex = b.ToString("x2");
                sb.Append(hex);
            }
            return sb.ToString();
        }
    }

IsaacTakushi · ‎Sep 27, 2019

Hi, @yadewale.

Glad to hear it!

I'm not familiar with Java, but one thing does jump out at me. You're setting the hash you produce to hashedobj but then in your if statement, you have:

Request.Headers.GetValues("X-HubSpot-Signature").First() == hashedob

it looks like you meant to write hashedobj but only wrote hashedob.

If you're still not getting the same hash, please share the following with me via DM:

An example webhookDTO value. (I'm guessing this is the incoming request body?)
The concat value you get by concatenating clientSecret and obj. For security, please conceal all but the first five characters of your clientSecret.

Isaac Takushi

Associate Certification Manager

yadewale · ‎Sep 27, 2019

@IsaacTakushi, actually that is c# and not Java and I missed the last letter in hashedobj in my reply.

I was able to fix this by using the actual request body and not a mapped object (webhookDTO). The difference was, my mapped object had more properties, which resulted in a different hash during the hash compute. See code snippet below to get the request body:

var bodyStream = new StreamReader(HttpContext.Current.Request.InputStream);
                bodyStream.BaseStream.Seek(0, SeekOrigin.Begin);
                var bodyText = bodyStream.ReadToEnd();

I've been able to match the hash in the header and the computed hash and everything work as expected. Thank you for your time!

IsaacTakushi · ‎Sep 27, 2019

Woohoo! Good to know and thanks for the additional context.

Isaac Takushi

Associate Certification Manager

APIs & Integrations