Calculated signature doesn't match header x-zm-signature intermittently

Our app subscribes to the webhoook events callee ended, caller ended, caller is connected to callee, callee answered phone call. When we get a payload, we calculate the auth signature and return a 401 if the signature in the payload header(x-zm-signature) doesn’t match what we calculated. Sometimes the x-zm-signature doesn’t match our calculated signature and we don’t really know why. Not all events fail which is the odd part. I would assume that our algorithm would be all or nothing. Why would it work for some and fail for others?

 head = request.headers
    message = f"v0:{head['x-zm-request-timestamp']}:{json.dumps(request_data,separators=(',', ':'))}"
    hashForVerify = hmac.new(
        config.values.ZOOM_SECRET_TOKEN.encode(),
        message.encode(),
        hashlib.sha256,
    ).hexdigest()
    signature = f"v0={hashForVerify}"

    if head.get("x-zm-signature") != signature:
        raise HTTPException(
            status_code=401,
            detail=f"Not authorized",
        )

for anyone struggling, I fixed it by simply getting the raw body of the post and using that(not a json deserialized version of it).:

request_body = await request.body()
message = f"v0:{head['x-zm-request-timestamp']}:{request_body.decode()}"

@mcbalto
Thanks for sharing your findings with the community!
We appreciate your contributions!!!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.