如何使用签名和 public 密钥验证 TransferWise 负载?
How can I verify a TransferWise payload with their signature and public key?
我正在尝试验证从 TransferWise api 进入我的 webhook 的有效负载。
API Link: https://api-docs.transferwise.com/#webhook-events-webhook-handlers
我已经通过 Google Cloud Functions 设置了一个 public https 端点。
index.ts
import { wiseWebhookTest } from "./wise/webHooks";
exports.wiseWebhookTest = functions.https.onRequest(wiseWebhookTest);
webHooks.ts
const livePublicKey = `
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvO8vXV+JksBzZAY6GhSO
XdoTCfhXaaiZ+qAbtaDBiu2AGkGVpmEygFmWP4Li9m5+Ni85BhVvZOodM9epgW3F
bA5Q1SexvAF1PPjX4JpMstak/QhAgl1qMSqEevL8cmUeTgcMuVWCJmlge9h7B1CS
D4rtlimGZozG39rUBDg6Qt2K+P4wBfLblL0k4C4YUdLnpGYEDIth+i8XsRpFlogx
CAFyH9+knYsDbR43UJ9shtc42Ybd40Afihj8KnYKXzchyQ42aC8aZ/h5hyZ28yVy
Oj3Vos0VdBIs/gAyJ/4yyQFCXYte64I7ssrlbGRaco4nKF3HmaNhxwyKyJafz19e
HwIDAQAB
-----END PUBLIC KEY-----`;
const sandboxPublicKey = `
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpb91cEYuyJNQepZAVfP
ZIlPZfNUefH+n6w9SW3fykqKu938cR7WadQv87oF2VuT+fDt7kqeRziTmPSUhqPU
ys/V2Q1rlfJuXbE+Gga37t7zwd0egQ+KyOEHQOpcTwKmtZ81ieGHynAQzsn1We3j
wt760MsCPJ7GMT141ByQM+yW1Bx+4SG3IGjXWyqOWrcXsxAvIXkpUD/jK/L958Cg
nZEgz0BSEh0QxYLITnW1lLokSx/dTianWPFEhMC9BgijempgNXHNfcVirg1lPSyg
z7KqoKUN0oHqWLr2U1A+7kqrl6O2nx3CKs1bj1hToT1+p4kcMoHXA7kA+VBLUpEs
VwIDAQAB
-----END PUBLIC KEY-----`;
const SIGNATURE_HEADER = "X-Signature-SHA256";
const validatePayload = (
sandbox = false,
payload: any,
signature: string
) => {
const sig = crypto.createVerify("RSA-SHA1");
sig.update(payload);
const verified = sig.verify(
sandbox ? sandboxPublicKey : livePublicKey,
signature,
"base64"
);
return verified;
};
const isValidSignature = (request: functions.https.Request): boolean => {
const signature = request.get(SIGNATURE_HEADER) as string;
return validatePayload(true, request.rawBody, signature);
};
export const wiseWebhookTest = (
request: functions.https.Request,
response: functions.Response
): Promise<void> => {
if (!isValidSignature(request)) {
sendError(response, "Invalid Signature");
return Promise.resolve();
}
console.log(`Signature is valid`);
// respond positively to Wise, even though we don't process it
response.status(200).send({});
return Promise.resolve();
};
sig.verify() 总是returns false。
我正在 TransferWise 沙箱中进行测试:https://sandbox.transferwise.tech/
代码的一部分有 const SIGNATURE_HEADER = "X-Signature-SHA256";,而第二部分有 "RSA-SHA1"。我绝对不会推荐 SHA-1 用于签名,所以我会升级第二个代码片段以使用 SHA-256。
我正在尝试验证从 TransferWise api 进入我的 webhook 的有效负载。
API Link: https://api-docs.transferwise.com/#webhook-events-webhook-handlers
我已经通过 Google Cloud Functions 设置了一个 public https 端点。
index.ts
import { wiseWebhookTest } from "./wise/webHooks";
exports.wiseWebhookTest = functions.https.onRequest(wiseWebhookTest);
webHooks.ts
const livePublicKey = `
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvO8vXV+JksBzZAY6GhSO
XdoTCfhXaaiZ+qAbtaDBiu2AGkGVpmEygFmWP4Li9m5+Ni85BhVvZOodM9epgW3F
bA5Q1SexvAF1PPjX4JpMstak/QhAgl1qMSqEevL8cmUeTgcMuVWCJmlge9h7B1CS
D4rtlimGZozG39rUBDg6Qt2K+P4wBfLblL0k4C4YUdLnpGYEDIth+i8XsRpFlogx
CAFyH9+knYsDbR43UJ9shtc42Ybd40Afihj8KnYKXzchyQ42aC8aZ/h5hyZ28yVy
Oj3Vos0VdBIs/gAyJ/4yyQFCXYte64I7ssrlbGRaco4nKF3HmaNhxwyKyJafz19e
HwIDAQAB
-----END PUBLIC KEY-----`;
const sandboxPublicKey = `
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpb91cEYuyJNQepZAVfP
ZIlPZfNUefH+n6w9SW3fykqKu938cR7WadQv87oF2VuT+fDt7kqeRziTmPSUhqPU
ys/V2Q1rlfJuXbE+Gga37t7zwd0egQ+KyOEHQOpcTwKmtZ81ieGHynAQzsn1We3j
wt760MsCPJ7GMT141ByQM+yW1Bx+4SG3IGjXWyqOWrcXsxAvIXkpUD/jK/L958Cg
nZEgz0BSEh0QxYLITnW1lLokSx/dTianWPFEhMC9BgijempgNXHNfcVirg1lPSyg
z7KqoKUN0oHqWLr2U1A+7kqrl6O2nx3CKs1bj1hToT1+p4kcMoHXA7kA+VBLUpEs
VwIDAQAB
-----END PUBLIC KEY-----`;
const SIGNATURE_HEADER = "X-Signature-SHA256";
const validatePayload = (
sandbox = false,
payload: any,
signature: string
) => {
const sig = crypto.createVerify("RSA-SHA1");
sig.update(payload);
const verified = sig.verify(
sandbox ? sandboxPublicKey : livePublicKey,
signature,
"base64"
);
return verified;
};
const isValidSignature = (request: functions.https.Request): boolean => {
const signature = request.get(SIGNATURE_HEADER) as string;
return validatePayload(true, request.rawBody, signature);
};
export const wiseWebhookTest = (
request: functions.https.Request,
response: functions.Response
): Promise<void> => {
if (!isValidSignature(request)) {
sendError(response, "Invalid Signature");
return Promise.resolve();
}
console.log(`Signature is valid`);
// respond positively to Wise, even though we don't process it
response.status(200).send({});
return Promise.resolve();
};
sig.verify() 总是returns false。
我正在 TransferWise 沙箱中进行测试:https://sandbox.transferwise.tech/
代码的一部分有 const SIGNATURE_HEADER = "X-Signature-SHA256";,而第二部分有 "RSA-SHA1"。我绝对不会推荐 SHA-1 用于签名,所以我会升级第二个代码片段以使用 SHA-256。