I'm trying to validate the contents of a webhook payload from the whatsapp webhooks using the steps in the .Facebook developer docs,
I dont understand what this mean
Please note that we generate the signature using an escaped unicode version of the payload, with lowercase hex digits. If you just calculate against the decoded bytes, you will end up with a different signature. For example, the string äöå should be escaped to \u00e4\u00f6\u00e5.
that why I've always got false when comparing hash value And i want to make it in php/laravel.
after sometimes i tried to use
$knownSignature = (new UnicodeString($request->getContent()))->normalize(UnicodeString::NFKC);
and
$knownSignature = Str::ascii($request->getContent());
But still doesnt match. event when i tried to convert äöå it still outputting \u00e4\u00f6\u00e5
I've done just like @CBroe said it did not work in my previous function, but when I remake it like this its works
protected function validatePayloads(string $waSignature,string $payloads){
$receivedSignature = explode('=', $waSignature)[1];
$generatedSignature = hash_hmac(
'sha256',
$payloads,
config('app.app_secret')
);
if($receivedSignature == $generatedSignature){
return true;
}else{
return false;
}
}
Just like @CBroe said you need to hash the raw request