I'm trying to accept form responses from Typeform using Python/Django/DRF and am having trouble authenticating the webhook request due to not being able to get the hashes to match.
Here are the instructions from Typeform:
1. Using the HMAC SHA-256 algorithm, create a hash (using created_token as a key) of the entire received payload as binary.
2. Encode the binary hash in base64 format.
3. Add prefix sha256= to the binary hash.
4. Compare the created value with the signature you received in the Typeform-Signature header from Typeform.
authentication.py
class TypeformAuthentication(authentication.BaseAuthentication):
def authenticate(self, request):
typeform_signature = request.META.get('HTTP_TYPEFORM_SIGNATURE')
data = request.body
secret_key = os.environ.get('TYPEFORM_SECRET_KEY')
if not typeform_signature:
return None
if typeform_signature:
hash = hmac.new(bytes(secret_key, encoding='utf-8'), data, hashlib.sha256)
actual_signature = 'sha256={}'.format(base64.b64encode(hash.digest()).decode())
user = User.objects.get(username='typeform-user')
if actual_signature == typeform_signature:
return(user, None)
else:
raise exceptions.AuthenticationFailed('Typeform signature does not match.')
else:
return None
Example Payload
{
"event_id": "01DTXE27VQSA3JP8ZMP0GF9HCP",
"event_type": "form_response",
"form_response": {
"form_id": "OOMZur",
"token": "01DTXE27VQSA3JP8ZMP0GF9HCP",
"landed_at": "2019-11-30T05:55:46Z",
"submitted_at": "2019-11-30T05:55:46Z",
"definition": {
"id": "OOMZur",
"title": "Auto Liability (New Company)",
"fields": [
{
"id": "GnpcIrevGZQP",
"title": "What is your business name?",
"type": "short_text",
"ref": "3e60e064-f14c-4787-9968-0358e8f34468",
"properties": {}
}
]
},
"answers": [
{
"type": "text",
"text": "Lorem ipsum dolor",
"field": {
"id": "GnpcIrevGZQP",
"type": "short_text",
"ref": "3e60e064-f14c-4787-9968-0358e8f34468"
}
}
]
}
}
Typeform Generated Hash
sha256=jdzKuFkijyBIMvmGyveHfcfzcNXUeQCuveNGP6CEdXk=
authentication.py Generated Hash
sha256=at4SsBIi2IXJ8vr1Ix3tHW7iK9q5KQfx20EBa+l9wKU=
I was able to get this working. Just in case anyone is having trouble authenticating webooks. I found this guide and adapted it.
Instead of handling it inside of authentication. I changed to handling it with the view.
import hashlib
import hmac
import json
import base64
import os
@csrf_exempt
def inbound_application_create_view(request):
header_signature = request.META.get('HTTP_TYPEFORM_SIGNATURE')
if header_signature is None:
return HttpResponseForbidden('Permission denied.')
sha_name, signature = header_signature.split('=', 1)
if sha_name != 'sha256':
return HttpResponseServerError('Operation not supported.', status=501)
mac = hmac.new(force_bytes(os.environ.get('TYPEFORM_SECRET_KEY')), msg=force_bytes(request.body), digestmod=hashlib.sha256)
if not hmac.compare_digest(force_bytes(base64.b64encode(mac.digest()).decode()), force_bytes(signature)):
return HttpResponseForbidden('Permission denied.')
return HttpResponse('pong')