Issue verifying webhook notification signature

ozreel
ozreel Member Posts: 2
edited April 29 in Developer APIs

I'm a bit concerned because no matter what I try the verfiyNotificationSignature function always returns false.

I'm using the Cloudinary Node SDK.

v2.config({ api_key: process.env.NEXT_PUBLIC_CLOUDINARY_API_KEY, api_secret: process.env.CLOUDINARY_API_SECRET, });

code snippets as follows:

import { v2 } from "cloudinary";

const timestampString = headers.get("X-Cld-Timestamp");

const timestamp = timestampString ? parseInt(timestampString) : null;

const signature = headers.get("X-Cld-Signature")

const stringBody = JSON.stringify(body);

const isSignatureValid = v2.utils.verifyNotificationSignature(stringBody, timestamp, signature);

console.log("isSignatureValid", isSignatureValid);

not only that, the documentation surrounding the details of this function are sparse at best. Is the valid_for argument arbitrary and where can we determine the valid_for defaults? How is the sdk configured properly? etc. and then there's this:

https://community.cloudinary.com/discussion/552/issue-verifying-eager-notification


which is a very similar issue and it appears as if the solution was discussed in private.

I would appreciate any feedback or response, thanks for your time.

Tagged:

Comments

  • Wissam
    Wissam Member, Cloudinary Staff Posts: 103

    Hi there,

    The most likely reason for the issue is that you are verifying the signature using a different API Secret than the one the notification payload was signed with.

    I suspect you are trying to verify the signature with that pair of key/secret credentials - which won’t match. By default, we will use the first active key/secret pair.

    As mentioned in our documentation :
    When dealing with multiple access keys in your product environment, it's essential to identify the appropriate key for verification. If you've established a dedicated access key for all your webhook notifications, make sure to employ the associated api_secret for verification.

    Since you're working with multiple key/secret pairs in your product environment, you have the option to specify an access key that will serve as the dedicated key for verifying webhook notifications. The dedicated access key can be used for other purposes, as well. Here is how to do it : https://cloudinary.com/documentation/notification_signatures#dedicated_access_key_for_webhook_notifications

    Here is another article that explains how to validate Cloudinary Webhooks signature:
    https://support.cloudinary.com/hc/en-us/articles/115001302471-How-to-validate-Cloudinary-webhooks-signature

    Please review and let me know your feedback.

    Regards,

    Wissam

  • ozreel
    ozreel Member Posts: 2

    Hi,

    I appreciate the swift response! I was able to select a keypair (I actually created a new one for the express purpose of verifying webhook responses) and every notification verifies properly except for upload notifications from an upload of a video via mediaUrl.

    Moderation, eager, and even upload notification_type notifications from client side (chunked) uploads made via signed request, these notifications all verify correctly.

    Only when I use v2.uploader.upload to upload (async) from a mediaURL does the upload notification_type webhook notification fail to verify.

    For context, the call to v2.uploader.upload is configured the same way I use v2.uploader.destroy and the delete notifications validate just fine, the only difference I can think of for the upload notification that fails validation is that it has a public_id set which I only have to set because when I call upload async it doesn't return a public_id because I assume the upload isn't completed yet.

    The reason I have to do this is because otherwise I have no way to tie the upload notification to the record in my db without a public_id.

    Either way, I verified that it still fails to verify the upload notification signature even if I don't set a public_id.

    I apologize for going off track, the manually set public_id doesn't seem to be an issue but it's a separate topic, Ideally I'd like to solve the mystery of the upload notification that doesn't verify even though it's configured in the same way as other uploads/destroy calls who's notifications do verify.

    Also, the upload_preset is the same I use in the chunked upload which has no problem validating the notification.

    I'm not sure if it helps but the eager notifications verify just fine even though they come in for the same upload that's "upload" notification_type fails to verify.

    Let me know if you have any questions or require additional information.

    Thanks again.

  • DannyFromCloudinary
    DannyFromCloudinary Member, Cloudinary Staff Posts: 151

    Hi @ozreel.

    Could you please open a ticket up with us via https://support.cloudinary.com, (re)specifying your issue and your cloud name, and also provide us with a few example signatures that failed to verify. We will then be able to look into the logs from your account and give you more information on why this might be failing.

    Kind regards,

    -Danny

Categories