Verification fails for GET requests with Laravel
repat opened this issue · comments
The signature validation doesn't seem to work properly with this library
POST requests work, but not GET requests coming for crmCards.
I can see that you have a UnitTest for v3 as well, but only for POST, not GET.
This is my code:
use HubSpot\Utils\Signature;
// Version 3 doesn't work
$result = Signature::isValid([
'signature' => $request->header('X-HubSpot-Signature-v3'),
'secret' => 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy', // comes from env/config file
'requestBody' => $request->getContent(), // Like your test, this is an empty string for GET
'httpUri' => $request->fullUrl(), // this includes https:// (not http://) and query parameteres
'httpMethod' => strtoupper($request->method()),
'timestamp' => $request->header('X-HubSpot-Request-Timestamp'),
'signatureVersion' => 'v3',
'checkTimestamp' => true,
]);
// $result is false
// Version 2 also doesn't work
$result = Signature::isValid([
'signature' => $request->header('X-HubSpot-Signature'),
'secret' => 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy', // comes from env/config file
'requestBody' => $request->getContent(), // Like your test, this is an empty string for GET
'httpUri' => $request->fullUrl(), // this includes https:// (not http://) and query parameteres
'httpMethod' => strtoupper($request->method()),
'timestamp' => $request->header('X-HubSpot-Request-Timestamp'),
'signatureVersion' => 'v2',
'checkTimestamp' => false,
]);
// $result is false
This is what the Laravel documentation says:
$request->fullUrl()
To retrieve the full URL for the incoming request you may use the
url
orfullUrl
methods. Theurl
method will return the URL without the query string, while thefullUrl
method includes the query string:
-- https://laravel.com/docs/10.x/requests#retrieving-the-request-url
$request->header()
You may retrieve a request header from the
Illuminate\Http\Request
instance using theheader
method. If the header is not present on the request, null will be returned.
-- https://laravel.com/docs/10.x/requests#request-headers
$request->method()
The
method
method will return the HTTP verb for the request
-- https://laravel.com/docs/10.x/requests#retrieving-the-request-method
$request->getContent()
Finally, the raw data sent with the request body can be accessed using
getContent()
-- https://symfony.com/doc/current/components/http_foundation.html#accessing-request-data
I'll leave this here in case somebody else has problems like this:
$request->fullUrl()
reorders the GET parameters. The solution is to use
'httpUri' => config('app.url') . $request->getRequestUri(),