Bug Report: invalid signature in localhost via tunnel (ngrok or localhost.run)
proxy-hatch opened this issue · comments
System Informations
- Go version: go version go1.20.2 darwin/amd64
- OS: macOS 13.2.1 (22D68)
Expected Behavior
signature validation should succeed with
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
events, err := func() ([]*linebot.Event, error) {
return bot.ParseRequest(req)
}()
}
Current Behavior
Got Error parsing request: invalid signature
Steps to Reproduce
- use a simple echo bot and run on localhost
- use ngrok or localhost.run tunnel to obtain an HTTPS endpoint
- set endpoint as webhook endpoint in LINE messaging console
Tried
Tried
ngrok http 8080 --region jp
ssh -R 80:localhost:8080 localhost.run
ssh -R 80:localhost:8080 localhost.run -- --no-inject-http-proxy-headers
all failed
When deployed (via AWS Lambda Function URL) however, signature validation passes.
So I highly suspect it is caused by HTTP tunneling
Similar thread reporting issue: https://www.line-community.me/en/question/5f040855851f74ab9c18db6a
Also tried implementing parseRequest() myself to skip signature validation, but got a different error Error parsing request: unexpected end of JSON input
func localParseRequest(r *http.Request) ([]*linebot.Event, error) {
defer r.Body.Close()
body, err := io.ReadAll(r.Body)
if err != nil {
log.Printf("unable to read request body: %v", r.Body)
return nil, err
}
log.Printf("Request body: %v", body)
request := &struct {
Events []*linebot.Event `json:"events"`
}{}
if err = json.Unmarshal(body, request); err != nil {
log.Printf("unable to unmarshal request body: %v", body)
return nil, err
}
return request.Events, nil
}
A quick fix would be to support turning signature validation off, somehow.
also working with AWS SAM CLI local (package to container image I believe)
also working with AWS SAM CLI local (package to container image I believe)
nevermind, this breaks after a while (a few days surprisingly). Must be some time-based signature validation
Is this a request coming from LINE? Is there a possibility that this issue is occurring due to requests that do not carry json other than LINE?
And can you check why it failed? signature validation fails only if request body or x-line-signature header is modified. I don't think it's a SDK's bug...
This issue was closed because it has been inactive for 14 days.