Bug Report: invalid signature in localhost via tunnel (ngrok or localhost.run)

Question

Bug Report: invalid signature in localhost via tunnel (ngrok or localhost.run)

proxy-hatch opened this issue a year ago · comments

proxy-hatch commented a year ago

System Informations

Go version: go version go1.20.2 darwin/amd64
OS: macOS 13.2.1 (22D68)

Expected Behavior

signature validation should succeed with

http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
	events, err := func() ([]*linebot.Event, error) {
		return bot.ParseRequest(req)
	}()
}

Current Behavior

Got Error parsing request: invalid signature

Steps to Reproduce

use a simple echo bot and run on localhost
use ngrok or localhost.run tunnel to obtain an HTTPS endpoint
set endpoint as webhook endpoint in LINE messaging console

Tried

Tried
ngrok http 8080 --region jp
ssh -R 80:localhost:8080 localhost.run
ssh -R 80:localhost:8080 localhost.run -- --no-inject-http-proxy-headers
all failed

When deployed (via AWS Lambda Function URL) however, signature validation passes.
So I highly suspect it is caused by HTTP tunneling

Similar thread reporting issue: https://www.line-community.me/en/question/5f040855851f74ab9c18db6a

proxy-hatch · Answer 1 · Fri May 26 2023 12:03:33 GMT+0800 (China Standard Time)

Also tried implementing parseRequest() myself to skip signature validation, but got a different error Error parsing request: unexpected end of JSON input

func localParseRequest(r *http.Request) ([]*linebot.Event, error) {
	defer r.Body.Close()
	body, err := io.ReadAll(r.Body)
	if err != nil {
        log.Printf("unable to read request body: %v", r.Body)
		return nil, err
	}
	log.Printf("Request body: %v", body)

	request := &struct {
		Events []*linebot.Event `json:"events"`
	}{}
	if err = json.Unmarshal(body, request); err != nil {
        log.Printf("unable to unmarshal request body: %v", body)
		return nil, err
	}
	return request.Events, nil
}

A quick fix would be to support turning signature validation off, somehow.

proxy-hatch · Answer 2 · Fri Jun 02 2023 14:50:03 GMT+0800 (China Standard Time)

also working with AWS SAM CLI local (package to container image I believe)

proxy-hatch · Answer 3 · Sun Jun 04 2023 15:30:41 GMT+0800 (China Standard Time)

also working with AWS SAM CLI local (package to container image I believe)

nevermind, this breaks after a while (a few days surprisingly). Must be some time-based signature validation

Yuta Kasai · Answer 4 · Thu Nov 16 2023 10:00:08 GMT+0800 (China Standard Time)

Is this a request coming from LINE? Is there a possibility that this issue is occurring due to requests that do not carry json other than LINE?

Yuta Kasai · Answer 5 · Thu Nov 16 2023 10:05:16 GMT+0800 (China Standard Time)

And can you check why it failed? signature validation fails only if request body or x-line-signature header is modified. I don't think it's a SDK's bug...

github-actions · Answer 6 · Fri Dec 01 2023 09:50:04 GMT+0800 (China Standard Time)

This issue was closed because it has been inactive for 14 days.