Our app subscribes to the webhoook events callee ended, caller ended, caller is connected to callee, callee answered phone call. When we get a payload, we calculate the auth signature and return a 401 if the signature in the payload header(x-zm-signature) doesn’t match what we calculated. Sometimes the x-zm-signature doesn’t match our calculated signature and we don’t really know why. Not all events fail which is the odd part. I would assume that our algorithm would be all or nothing. Why would it work for some and fail for others?
head = request.headers
message = f"v0:{head['x-zm-request-timestamp']}:{json.dumps(request_data,separators=(',', ':'))}"
hashForVerify = hmac.new(
config.values.ZOOM_SECRET_TOKEN.encode(),
message.encode(),
hashlib.sha256,
).hexdigest()
signature = f"v0={hashForVerify}"
if head.get("x-zm-signature") != signature:
raise HTTPException(
status_code=401,
detail=f"Not authorized",
)