Nov 17, 20217:11 AM - edited Nov 17, 20217:12 AM
Member
Incorrect X-Hubspot-Signature in CRM extension's requests
SOLVE
@fastjackthey've changed how the v3 signature is generated, without any updates to the documentation, once again. Previously, you had to url encode the query string parameters (no mention of query string in the docs...) so emails had %40 instead of @. Now, that's no longer the case.
@dennisedsonthis functionality has now broken twice in the last month, both due to unannounced and undocumented changes on the HubSpot side. I think that's pretty unacceptable. Also, the documentation should be massively improved with working examples, to avoid a suck-it-and-see approach to implementation.
Just received info from the team. Looks like there was a bug fix applied to a low level library which had unexpected side effects. The change has been reverted and all should be back with regards to the v2 signature.
As for the query string that @paulmdavies mentioned, he v3 signature requires decoding certain characters in the query params of the request URI before calculating the signature. This was a miss on our part not getting it into the docs. We will update them accordingly. I will also mention the suggestion of working examples.
I understand the frustration that this has caused. I have made sure that the teams have heard this and we will continue to improve the safeguards in our systems in an effort to prevent these types of issues from occurring.
I also want to thank you for voicing these issues here. It is important to be called out on our shortcomings. Otherwise, we would be developing a product in a vaccum which is good for no one.
We do take the comments seriously and we are listening actively to the Community.
Incorrect X-Hubspot-Signature in CRM extension's requests
SOLVE
v3 signature requires decoding certain characters in the query params of the request URI before calculating the signature. This was a miss on our part not getting it into the docs. We will update them accordingly. I will also mention the suggestion of working examples.
It looks like it's still not in the docs. Please help, I'm facing the same problem. How should I encode/decode certain characters in the query params? For example, I have an URI:
Incorrect X-Hubspot-Signature in CRM extension's requests
SOLVE
It turns out that we did the hashing based on the decoded query string on the v2 signatures. This worked fine up to the launch of v3 signatures. Now you need to hash the raw query string! This was the issue on v3 signatures as well.
Incorrect X-Hubspot-Signature in CRM extension's requests
SOLVE
We are also experiencing signature mismatches on v2 that was working fine before. This is a big problem for us. We have tried to move to v3 but failing to get the signature to match there as well.
I did some testing this morning, but I'm still seeing the same v2 signature mismatches.
The URL part of our signature does have some nuance to it. Params on the URL contain characters that needed to follow a mix of being url-encoded and _not_ url-encoded as described in my older post.
Have there been changes made to the way that URL params are treated in the signature computation on the HubSpot side? Some potential reasons that come to mind are sanitizing the params to ensure there is no XSS injection or other security exploits being attempted, but I would need to understand how to make sure we wind up with the same URL param values to re-compute the signature on our end for validation.
Incorrect X-Hubspot-Signature in CRM extension's requests
SOLVE
I just confirmed that we are also receiving the X-Hubspot-Signature-v3 header per that announcement, but the X-Hubspot-Signature-Version is still set to v2 and the X-Hubspot-Signature value no longer matches.
This is exactly what we were seeing also.
We had to update our integration to v3 signature to make it work again and allow our sales team to resume its work.
Was the situation resolved for you, @fastjack ? I just confirmed that we are also receiving the X-Hubspot-Signature-v3 header per that announcement, but the X-Hubspot-Signature-Version is still set to v2 and the X-Hubspot-Signature value no longer matches.