Is going to be ok. But if in the request body are present Latin characters like "ñ" o wherever words with accent marks, the signature validation hash in all my tests, is incorrect. Is somebody aware of this same behavior or some HubSpot Support friend that can enlighten me about this?
I have the same issue with python. I already the app installed in my client, my webhook set with the app id, but the hashes are not the same. This is my code:
For me the issue was the request uri was being seen as the http internal request from nginx rather than https. In my case a simple string replace resolved the issue.
Here is some Symfony code. It checks both possible versions of the signature.
To be honest I'm not extremely familiar with PHP, but I should be able to follow along. Are you following the instructions documented here: https://knowledge.hubspot.com/articles/kcs_article/workflows/how-do-i-use-webhooks-with-hubspot-work... ? I just want to make sure you're concatenating the right values. Are you also adding the app secret in your concatenation? It looks like you've got the method, URI, and request body, but I'm not sure I'm seeing an app secret being concatenated as well, which could account for the discrepancy.
@balabanov, your looping of getallheaders() to until you find 'X-Hubspot-Signature' would let a fake request without any 'X-Hubspot-Signature' header passed at all get sucessfully through your hash check. Optionally in PHP, this value can be referenced as $_SERVER['HTTP_X_HUBSPOT_SIGNATURE']. You can see what version of webhooks you're receiving by checking the value of $_SERVER['HTTP_X_HUBSPOT_SIGNATURE_VERSION'] ('v1' is what I receive)
Because if you're actually trying to authenticate webhooks sent through our Webhooks API, you'll need to use a different valiation method, which is documented in our Webhooks API documentation here: https://developers.hubspot.com/docs/methods/webhooks/webhooks-overview#security. In that case you should be generating an SHA256 hash from a concatenation of your app secret + the request body.
I think you're authenticating request signatures for webhooks sent from workflows, in which case you are concatenating the correct values. But I just wanted to make sure, because if you're not, that would explain the discrepancy here.
Also, thank you @balabanov for helping out here. I will also pass along the feedback that we should have better examples of this.