Deposco Webhook
Hello,
I'm attempting to connect to a webhook sent from the Deposco WMS software's webhook. I worked with Celigo Developer Katie Thorpe who had the following to say:
"
The Deposco team provided the below as how they encrypt and decrypt data. But we were able to send the exact same retry data to the webhook using Postman. Essentially something about how they encrypt and decrypt seems to be handled slightly differently than how Celigo natively does so.
We were using Hexadecimal for the HMAC Encoding on the Webhook, which their documentation and the logic below seems to support.
import hmac
import hashlib
WEBHOOK_SECRET_KEY =
'{{SecretKeyPlaceholder}}'
HMAC_TO_VERIFY = '{{SecretKeyPlaceholder}}'
REQUEST_BODY = 'test'
def verify_webhook(data, hmac_header):
digest = hmac.new( bytes.fromhex(WEBHOOK_SECRET_KEY), data.encode('utf-8'),
digestmod=hashlib.sha256).digest()
computed_hmac = digest.hex()
return hmac.compare_digest(computed_hmac.encode('utf-8'), hmac_header.encode
('utf-8'))
print(verify_webhook(REQUEST_BODY, HMAC_TO_VERIFY)) # True
"
Can you help me troubleshoot this connection further?
Comments
Jack Harris I played around a bit and ended on a python script like this that worked. For starters, webhooks don't accept plain text so you would need to send JSON or XML. The second thing I found is sorting the keys of the body is needed and without sorting the keys, it fails.
Here is a JavaScript pre-request script that does the same in Postman and works:
Jack Harris I checked this out a little more and I think Deposco isn't generating the HMAC correctly. They need to make sure that the body being sent is the same as the body being put into generating the HMAC. Issues occur when tabs/whitespaces are removed from the body, but not from when generating the HMAC or vice versus.
For example, if they send the below in the body,
but send
in the body of HMAC generation, then the signature will not match.
To ensure proper formatting, they should generate like this:
Jack Harris I reviewed the ticket and tested it myself and it looks like Deposco isn't even sending the HMAC header. I'll leave this for the support ticket at this point.
For the sake of anyone else attempting to connect to the Deposco WMS software's webhook, the solution was to use a Secret URL instead of an HMAC connection because, for whatever reason, the HMAC is not included in Deposco's header to Celigo.
Please sign in to leave a comment.