The signature generated using v0:{WEBHOOK_REQUEST_HEADER_X-ZM-REQUEST-TIMESTAMP_VALUE}:{WEBHOOK_REQUEST_BODY} does not match the signature in the header

hicucu · July 17, 2023, 3:14am

video sdk : 1.8.0

The webhook is not functioning properly.
The comparison between the x-zm-signature in the header and the body is not working.
I see. It appears that accessing the request header using req.headers.get(“x-zm-signature”) instead of req.headers[“x-zm-signature”] prevents the value from becoming undefined.
The body of the request has been changed to a ReadableStream.
After reading the body as a ReadableStream, the values are different.
The request body for the session.start event is documented as follows:

{
  "event": "session.started",
  "payload": {
    "account_id": "{ACCOUNT_ID}",
    "object": {
      "start_time": "2022-07-27T16:56:34Z",
      "id":"{SESSION_ID}"
    }
  },
  "event_ts": 1658940994914
}

I have confirmed that the session.start event has been updated to include session_name, and session_id.

{
  event: 'session.started',
  payload: {
    account_id: 
    object: {
      session_name: 
      start_time: 
      session_id: 
      id: 
    }
  },
  event_ts: 
}

Including or removing these elements doesn’t work.

The signature generated using v0:{WEBHOOK_REQUEST_HEADER_X-ZM-REQUEST-TIMESTAMP_VALUE}:{WEBHOOK_REQUEST_BODY} does not match the signature in the header.

elisa.zoom · July 17, 2023, 4:06pm

Hi @hicucu
Thanks for reaching out to us!
Have you been able to take a look at our sample app?

uri.covarrubias · July 26, 2024, 12:02am

A year later but if can help to someone to solve this issue…
I tried create a hash signature using my secret token and request body but doesn’t matching. The problem is in message sctructure…

I had v0:1721951212:{“payload”: {“plainToken”: “8Ec3oqLtS-Gx6b-8Ocqnmw”}, “event_ts”: 1721951212909, “event”: “endpoint.url_validation”}

Just erase blank spaces and works! i got the correct signature hashed!
Here an example using python:

import hashlib
import hmac
import os

def calculate_hash(message, secret_token):
# Crear un hash HMAC-SHA256 usando el token secreto
hmac_hash = hmac.new(secret_token.encode(), message.encode(), hashlib.sha256).hexdigest()
return hmac_hash

Ejemplo de uso

message = ‘v0:1721951212:{“payload”: {“plainToken”: “8Ec3oqLtS-Gx6b-8Ocqnmw”}, “event_ts”: 1721951212909, “event”: “endpoint.url_validation”}’
message = message.replace(" ", “”)
print(f’Nuevo mensaje: {message}')
secret_token = “j4DYHnKOQ3eLL3LV2jq61Q”

hash_for_verify = calculate_hash(message, secret_token)
print(f"HMAC-SHA256 hash para verificación: {hash_for_verify}")

v0=dac804460ef74c28b2791bde507481eeb39943cc86016451c355fa0d1a7660b0

Topic		Replies	Views
Unable to verify zoom's web hook request with Zoom's header API and Webhooks webhooks , recording	16	761	July 18, 2024
Python webhook validation API and Webhooks	2	688	July 7, 2024
Unauthorized request to Zoom webhook Sample error API and Webhooks phone , webhooks	10	45	August 8, 2024
Missing x-zm-signature header in some received webhooks API and Webhooks webhooks	1	377	July 15, 2023
X-zm-signature & x-zm-request-timestamp are missed in deauthorization webhook API and Webhooks webhooks	6	1547	August 26, 2023

The signature generated using v0:{WEBHOOK_REQUEST_HEADER_X-ZM-REQUEST-TIMESTAMP_VALUE}:{WEBHOOK_REQUEST_BODY} does not match the signature in the header

Ejemplo de uso

v0=dac804460ef74c28b2791bde507481eeb39943cc86016451c355fa0d1a7660b0

Related Topics