gpt4 book ai didi

java - DocuSign Connect webhook 调用不包含 HMAC header x-docusign-signature

转载 作者:行者123 更新时间:2023-12-01 21:56:31 33 4
gpt4 key购买 nike

在我的帐户中,我创建了一个 Connect webhook 配置。我添加了一个 key ,还选中了 Include HMAC signature 复选框。

在我签署信封后,DocuSign Connect 调用了我的 API。

它发送了一个成功的请求正文但它没有发送预期的请求 header x-docusign-signature

引用:连接HMAC configuration page

我从 DocuSign connect 获得了以下请求 header 。

{host=[qa.****.com], 
content-type=[text/xml; charset=utf-8],
expect=[100-continue], max-forwards=[9],
x-forwarded-proto=[https],
x-forwarded-port=[443],
x-original-host=[qa.****.com],
x-original-url=[/****/v1/docusign/webhook/1177/4305],
x-forwarded-for=[162.248.186.11:58652, 10.3.0.5],
x-arr-ssl=[2048|256|C=US, S=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2|OU=Domain Control Validated, CN=qa.cloudlex.com],
x-arr-log-id=[06ca1160-b70c-41d9-8e8c-6e018983ad94],
x-forwarded-host=[qa.****.com],
x-forwarded-server=[qa.****.com],
connection=[Keep-Alive], content-length=[2184]
}

感谢您的帮助。

最佳答案

目前,关于 HMAC 身份验证的文档具有严重的误导性,因为它建议您只需在站点的管理部分启用它。

发送信封时,您还需要在信封的 EventNotification 部分设置“IncludeHMAC”设置。

此代码基于 C# DocuSign 客户端,但应同样适用于其他语言。

public EventNotification BuildEventNotifications(string callbackUrl)
{
return new EventNotification
{
IncludeEnvelopeVoidReason = "true",
EnvelopeEvents = new List<EnvelopeEvent>
{
new EnvelopeEvent("sent", "false"),
new EnvelopeEvent("delivered", "false"), // When opened
new EnvelopeEvent("completed", "true"), // When signed
new EnvelopeEvent("declined", "false"),
new EnvelopeEvent("voided", "false")
},
Url = callbackUrl,
LoggingEnabled = "true",
IncludeHMAC = "true",
IncludeDocuments = "false",
RequireAcknowledgment = "true",
RecipientEvents = new List<RecipientEvent>
{
new RecipientEvent("false", "Sent"),
new RecipientEvent("false", "Delivered"),
new RecipientEvent("true", "Completed"),
new RecipientEvent("false", "Declined")
}
};
}

这是一个如何在 Api 端验证其 HMAC 签名的示例。 Web Api/.NET Core 中的示例,但应该很容易转换为 Java 或您选择的框架。

public class HMACAuthorization : Attribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationFilterContext context)
{
string xmlBody;

context.HttpContext.Request.Body.Seek(0, SeekOrigin.Begin);
using (var reader = new StreamReader(context.HttpContext.Request.Body, Encoding.UTF8, true, 1024, true))
{
xmlBody = reader.ReadToEnd();
}

context.HttpContext.Request.Headers.TryGetValue("X-DocuSign-Signature-1", out var hmacSignature);

if (!HmacIsValid(ConfigurationSettings.DocuSignHMACKey, xmlBody, hmacSignature)) context.Result = new UnauthorizedResult();
}

private static bool HmacIsValid(string hmacKey, string body, string hmacSignature)
{
var computedHmac = BuildHmacHash(hmacKey, body);

var hmacIsValid = computedHmac == hmacSignature;

return hmacIsValid;
}

private static string BuildHmacHash(string hmacKey, string body)
{
string hash;

using (var sha = new HMACSHA256(Encoding.UTF8.GetBytes(hmacKey)))
{
hash = Convert.ToBase64String(sha.ComputeHash(Encoding.UTF8.GetBytes(body)));
}

return hash;
}
}

如果您在 .NET Core/Web Api 中使用示例,则需要在 Http 请求正文中启用倒带。您可以使用这个中间件来实现此功能。

public class EnableRequestRewindMiddleware
{
private readonly RequestDelegate _next;

public EnableRequestRewindMiddleware(RequestDelegate next)
{
_next = next;
}

public async Task Invoke(HttpContext context)
{
context.Request.EnableRewind();
await _next(context);
}
}

app.UseMiddleware<EnableRequestRewindMiddleware>();

关于java - DocuSign Connect webhook 调用不包含 HMAC header x-docusign-signature,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56673644/

33 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com