Giters

HubSpot / hubspot-api-php

HubSpot API PHP Client Libraries for V3 version of the API

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Verification fails for GET requests with Laravel

repat opened this issue · comments

commented

The signature validation doesn't seem to work properly with this library
POST requests work, but not GET requests coming for crmCards.

I can see that you have a UnitTest for v3 as well, but only for POST, not GET.

This is my code:

use HubSpot\Utils\Signature;

// Version 3 doesn't work
$result = Signature::isValid([
      'signature' => $request->header('X-HubSpot-Signature-v3'),
      'secret' => 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy', // comes from env/config file
      'requestBody' => $request->getContent(), // Like your test, this is an empty string for GET
      'httpUri' => $request->fullUrl(), // this includes https:// (not http://) and query parameteres
      'httpMethod' => strtoupper($request->method()),
      'timestamp' => $request->header('X-HubSpot-Request-Timestamp'),
      'signatureVersion' => 'v3',
      'checkTimestamp' => true,
]);

// $result is false

// Version 2 also doesn't work
$result = Signature::isValid([
      'signature' => $request->header('X-HubSpot-Signature'),
      'secret' => 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy', // comes from env/config file
      'requestBody' => $request->getContent(), // Like your test, this is an empty string for GET
      'httpUri' => $request->fullUrl(), // this includes https:// (not http://) and query parameteres
      'httpMethod' => strtoupper($request->method()),
      'timestamp' => $request->header('X-HubSpot-Request-Timestamp'),
      'signatureVersion' => 'v2',
      'checkTimestamp' => false,
]);

// $result is false

This is what the Laravel documentation says:

$request->fullUrl()

To retrieve the full URL for the incoming request you may use the url or fullUrl methods. The url method will return the URL without the query string, while the fullUrl method includes the query string:
-- https://laravel.com/docs/10.x/requests#retrieving-the-request-url

$request->header()

You may retrieve a request header from the Illuminate\Http\Request instance using the header method. If the header is not present on the request, null will be returned.
-- https://laravel.com/docs/10.x/requests#request-headers

$request->method()

The method method will return the HTTP verb for the request
-- https://laravel.com/docs/10.x/requests#retrieving-the-request-method

$request->getContent()

Finally, the raw data sent with the request body can be accessed using getContent()
-- https://symfony.com/doc/current/components/http_foundation.html#accessing-request-data

commented

I'll leave this here in case somebody else has problems like this:

$request->fullUrl() reorders the GET parameters. The solution is to use

'httpUri' => config('app.url') . $request->getRequestUri(),