Deposco Webhook

Hello,

I'm attempting to connect to a webhook sent from the Deposco WMS software's webhook. I worked with Celigo Developer Katie Thorpe who had the following to say:

"

The Deposco team provided the below as how they encrypt and decrypt data. But we were able to send the exact same retry data to the webhook using Postman. Essentially something about how they encrypt and decrypt seems to be handled slightly differently than how Celigo natively does so.

 

We were using Hexadecimal for the HMAC Encoding on the Webhook, which their documentation and the logic below seems to support.

 

import hmac
import hashlib
WEBHOOK_SECRET_KEY =
'{{SecretKeyPlaceholder}}'
HMAC_TO_VERIFY = '{{SecretKeyPlaceholder}}'
REQUEST_BODY = 'test'
def verify_webhook(data, hmac_header):
    digest = hmac.new( bytes.fromhex(WEBHOOK_SECRET_KEY), data.encode('utf-8'),
digestmod=hashlib.sha256).digest()
    computed_hmac = digest.hex()
return hmac.compare_digest(computed_hmac.encode('utf-8'), hmac_header.encode
('utf-8'))
print(verify_webhook(REQUEST_BODY, HMAC_TO_VERIFY)) # True 

"

Can you help me troubleshoot this connection further?

0

Comments

4 comments
Date Votes
  • Jack Harris I played around a bit and ended on a python script like this that worked. For starters, webhooks don't accept plain text so you would need to send JSON or XML. The second thing I found is sorting the keys of the body is needed and without sorting the keys, it fails. 

    
    
    import hmac
    import hashlib
    import json
    
    # Define secret key and request body
    WEBHOOK_SECRET_KEY = '50qaL883baRa5kgg'
    REQUEST_BODY = {
        "event": "order.created",
        "order_id": "12345",
        "amount": 100.50
    }
    
    # Convert JSON payload to a compact string with sorted keys
    data_str = json.dumps(REQUEST_BODY, separators=(',', ':'), sort_keys=True)
    
    # Generate HMAC for JSON payload
    digest = hmac.new(WEBHOOK_SECRET_KEY.encode('utf-8'), data_str.encode('utf-8'), digestmod=hashlib.sha256).hexdigest()
    
    print("JSON Payload:", data_str)
    print("Generated HMAC:", digest)

     

    Here is a JavaScript pre-request script that does the same in Postman and works:

    
    
    // Define the secret key and JSON payload
    const secretKey = '50qaL883baRa5kgg';  // Replace with your actual secret key
    const requestBody = {
        "event": "order.created",
        "order_id": "12345",
        "amount": 100.50
    };
    
    // Convert JSON payload to a compact string with sorted keys
    const dataStr = JSON.stringify(requestBody, Object.keys(requestBody).sort());
    
    // Utility function for HMAC SHA-256 calculation with explicit UTF-8 encoding
    function generateHMAC(key, message) {
        var hash = CryptoJS.HmacSHA256(CryptoJS.enc.Utf8.parse(message), CryptoJS.enc.Utf8.parse(key));
        return CryptoJS.enc.Hex.stringify(hash);
    }
    
    // Generate the HMAC for the request body
    const hmac = generateHMAC(secretKey, dataStr);
    
    // Set the generated HMAC as a header
    pm.request.headers.add({
        key: 'X-MY-HMAC',
        value: hmac
    });
    
    // Set the JSON payload as the body of the request
    pm.request.body.raw = dataStr;
    
    // Debugging (Optional)
    console.log("JSON Payload:", dataStr);
    console.log("Generated HMAC:", hmac);
    0
  • Jack Harris I checked this out a little more and I think Deposco isn't generating the HMAC correctly. They need to make sure that the body being sent is the same as the body being put into generating the HMAC. Issues occur when tabs/whitespaces are removed from the body, but not from when generating the HMAC or vice versus.

     

    For example, if they send the below in the body,

    
    
    {
    	"test": 1
    }

    but send 

    
    
    {"test":1}

    in the body of HMAC generation, then the signature will not match.

     

    To ensure proper formatting, they should generate like this:

    
    
    # Convert JSON payload to a compact string with sorted keys
    data_str = json.dumps(REQUEST_BODY, separators=(',', ':'), sort_keys=False)
    
    # alternate way to make sure json stays with it's original format
    # data_str = json.dumps(REQUEST_BODY, indent=4)
    
    # Generate HMAC for JSON payload
    digest = hmac.new(WEBHOOK_SECRET_KEY.encode('utf-8'), data_str.encode('utf-8'), digestmod=hashlib.sha256).hexdigest()
    0
  • Jack Harris I reviewed the ticket and tested it myself and it looks like Deposco isn't even sending the HMAC header. I'll leave this for the support ticket at this point.

    0
  • For the sake of anyone else attempting to connect to the Deposco WMS software's webhook, the solution was to use a Secret URL instead of an HMAC connection because, for whatever reason, the HMAC is not included in Deposco's header to Celigo. 

    0

Please sign in to leave a comment.

 

Didn't find what you were looking for?

New post