Comments (8)
Just lost some time trying to get this right... not only docs are completely wrong, leading to possible security breaches, but also the function does not work at all.
First, the docs part:
For this to work, you of course need your API KEY to have something to compare the signature to. Also, you should NOT use the string 'X-Hub-Signature'
, its actually a reference to the header you need to compare to:
pagarme.postback.calculateSignature(process.env.PAGARME_API_KEY, rawBody)
pagarme.postback.verifySignature(process.env.PAGARME_API_KEY, rawBody, req.headers['x-hub-signature'])
So I did that and after trying a lot, it still would not say a valid signature was valid.
If you log both X-Hub-Signature
header and the calculateSignature
result, you will see that verifySignature
will NEVER return true, as X-Hub-Signature
header is prefixed with sha1=
.
So this function does not work AT ALL. To make it worse, the docs are misleading unaware devs:
@otaviopace solution in this issue is basically generating a signature using a constant string X-Hub-Signature
and whatever payload, then verifying it against the very same signature, by signing it again with X-Hub-Signature
string, and not the actual header sent from Pagarme. So its not validating anything and creates a security breach
I did EXACTLY that, prior to finding this issue, but luckily realized that it wasn't validating it against any useful information.
Then I find this issue, which was reported in 2017, and it's clearly misleading devs into security breaches.
Docs and code needs fixing !!
For those who want to use this function, just use calculateSignature
, prefix it with sha1=
and compare it to X-Hub-Signature
. Or you can use Node.js crypto lib:
const signature = createHmac('sha1', process.env.PAGARME_API_KEY).update(rawBody, 'utf-8').digest('hex')
if (req.headers['x-hub-signature'] !== `sha1=${signature}`) {
// INVALID SIGNATURE
}
from pagarme-js.
@bmamone thanks for the detailed explanation
I've edited my comment so that it does not mislead any more developers into doing this wrong.
Unfortunately I can't help you more since I don't work for @pagarme anymore
from pagarme-js.
Weird, I have just tried to use the approach without a client and it worked perfectly.
const pagarme = require('pagarme')
const signature = pagarme.postback.calculateSignature('X-Hub-Signature', 'postbackBody')
const verify = pagarme.postback.verifySignature('X-Hub-Signature', 'postbackBody', signature)
console.log('signature', signature) // signature e5f37003f940c0e578e7e07471164cbc987253af
console.log('verify', verify) // verify true
And it doesn't seem wrong to me, because those functions have nothing to do with a client, they are pure functions that don't depend on any state.
IMPORTANT EDIT
Use @bmamone solution down below instead
from pagarme-js.
Awesome! Could you open a PR fixing this please? :D
from pagarme-js.
Just faced this problem. In which point should the API key fit in the example ?
from pagarme-js.
I just tested and the approach used by @otaviopace always returns true, no matter the payload neither the signature.
I'm also trying to figure out which point should I use the client or the api key itself.
EDIT:
const pagarme = require('pagarme');
pagarme.client.connect({ api_key: 'key' })
.then(client => {
const verify = client.security.verify('postbackBody', 'X-Hub-Signature'));
});
The example above is the correct way to do it.
from pagarme-js.
Hmmm, I just tried passing a random set of characters to the verify
function and it returned false
as expected:
const pagarme = require('pagarme')
const RANDOM_SIGNATURE = 'aslkfdjalksjdflkajsf'
const verify = pagarme.postback.verifySignature('X-Hub-Signature', 'postbackBody', RANDOM_SIGNATURE)
console.log('verify', verify) // false
IMPORTANT EDIT
Use @bmamone solution down below instead
from pagarme-js.
If you check the actual code for verifySignature:
function calculateSignature (key, postbackBody) {
return createHmac('sha1', key)
.update(postbackBody)
.digest('hex')
}
function verifySignature (key, postbackBody, headerSignature) {
const signature = calculateSignature(key, postbackBody)
return equals(signature, headerSignature)
}
The first parameter is expected to be the api key, the second one the postbackbody and the third one the X-Hub-Signature header.
The function does nothing but create a hash of the body using your api key and check if it is equal to the same hashing done by pagarme's server.
So there is no way for this to be done without using your api key on the process.
from pagarme-js.
Related Issues (20)
- Plano de Recorrência com dia fixo para vencimento
- Erro ao buscar transações pagas com item de id especifico
- Erro no endpoint create de customers na versão nova HOT 3
- Problema na validação de cartão v4.19
- Checkout transparente backend HOT 6
- Erro ao se conectar na api. Messagem de erro: "You must supply a valid API key" HOT 7
- Possibilidade de consumir apenas os módulos necessários para otimizar bundle
- tokenizecard JS is broken [bug] HOT 3
- API v5 quebrada na página de doc reference HOT 4
- API v5 quebrada na autenticação HOT 10
- Nextjs gerando card_hash HOT 4
- API não funciona em PROD, apenas em DEV.
- [Question] What is the difference to pagarme-core-api-nodejs? HOT 1
- Bug com o postback na transaction do PIX (potencialmente boleto tambem) HOT 2
- Criar assinatura para usuários de outro país.
- Tokenização através da API bloqueada pelo CORS do Navegador HOT 1
- (Python e Django) Erro ao enviar checkout utilizando encryption_key no formulário JS. O servidor acusa que a api_key está faltando mesmo elas estando configuradas.
- [Question] Pagar.me com React e Vite HOT 1
- Suporte para a V5? HOT 1
- Encryption Key na nova interface
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pagarme-js.