Webhook v3 not supported

Question

Webhook v3 not supported

repat opened this issue a year ago · comments

File: lib/Utils/Webhooks.php

<?php

namespace HubSpot\Utils;

use Exception;

/**
 * @deprecated
 */
class Webhooks
{
    /**
     * Validation of Hubspot Signature.
     *
     * @deprecated
     *
     * @param string $signature   hubspot signarute
     * @param string $secret      the Secret of your app
     * @param string $requestBody a set of scopes that your app will need access to
     */
    public static function isHubspotSignatureValid(
        string $signature,
        string $secret,
        string $requestBody,
        string $httpUri = null,
        string $httpMethod = 'POST',
        string $signatureVersion = 'v1'
    ): bool {
        $sourceString = null;
        if ('v1' == $signatureVersion) {
            $sourceString = $secret.$requestBody;
        } elseif ('v2' == $signatureVersion) {
            $sourceString = $secret.$httpMethod.$httpUri.$requestBody;
        } else {
            throw new Exception("Not supported signature version: {$signatureVersion}");
        }

        return $signature == hash('sha256', $sourceString);
    }
}

However, your documentation says this: https://developers.hubspot.com/docs/api/webhooks/validating-requests. You'd need to add a timestamp to the signature (let's call it $xHubSpotSignaturev3). For the record, it should be this

$sourceString = $httpMethod . $httpUri . $requestBody . $xHubSpotRequestTimestamp;
$calculatedSignature = base64_encode(hash_hmac('sha256', $sourceString, $secret, true)); // true = binary
return hash_equals($calculatedSignature, $signature);

repat · Answer 1 · Tue Mar 07 2023 18:56:18 GMT+0800 (China Standard Time)

I just found https://github.com/HubSpot/hubspot-api-php/blob/master/lib/Utils/Signature.php by going through your Unit Tests. I missed that the one above is marked as @deprecated.