-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mandrill webhook: incorrect signature with auth #48
Comments
If your Django app doesn't know its own public hostname (because Django is behind a proxy that doesn't set X-Forwarded-Host, e.g.), you'll need to set MANDRILL_WEBHOOK_URL to the exact webhook url you entered into Mandrill's dashboard. Without that setting, Mandrill is computing a signature for something like (I'm making a note to update that error message to include the url Anymail thinks it was called at.) If that's not the issue, it would be helpful to know things like Anymail and Django versions, whether the webhook has ever worked (and if so, what changed since then). You could also scan up the stack trace in Sentry to find where anymail.webhooks.mandrill...validate_request is raising the error -- Sentry may have captured more information there that would help your investigation. In particular, |
dear, the x-forwarded-host is properly set to the domain of the webhook. but I realized that in mandrill, the webhook url registered contains the authentication credentials (as of your documentation). if that is used for signing, then it won't work. what do you think? also and no, I just switched to anymail and it was never successfull. |
Update: I disabled |
another Update: I managed to print
does this look right? I also printed the |
while investigating I noticed: in sentry the |
Ah -- I think you're correct about basic auth affecting how Mandrill calculates the signature. (But I can't really tell from Mandrill's docs, and I don't have access to Mandrill for testing.) But yes, let's try to get it working without basic auth first. Where you've added print debugging in
If none of those shows a problem, I'm afraid I'm a bit mystified. |
hey, thanks for the guidance. will instantly tomorrow morning. seen my comment about the escaping? |
I think the escaping difference is just an artifact of printing to the console. |
hey, with printing I get
I compared the url 20 times with mandrill and it looks fine. even with the trailing slash. |
alright I finally got it: when using the authentication mechanism the url for the to make it short adding the same URI as entered into mandrill form (including the authentication data) as a setting for maybe it would make sense to have this documented, that if you are using the authentication, the setting would be mandatory. |
Ah, great. Thanks for tracking this down, and glad you were able to get it working. I'm going to treat this as a bug in the Anymail's Mandrill webhook verification. If Anymail knows you're using basic auth (and it does!), it should factor that into the signature calculation. For anyone else encountering this, until there's a fix in place, the workaround is to set MANDRILL_WEBHOOK_URL to include your WEBHOOK_AUTHORIZATION secret: ANYMAIL = {
"MANDRILL_API_KEY": "<your API key>",
"WEBHOOK_AUTHORIZATION": "random:random", # use same random:random below
"MANDRILL_WEBHOOK_URL": "https://random:random@yoursite.example.com/anymail/mandrill/tracking/",
# ...
} |
@patroqueeet you mentioned "authentication data (even if mandrill is hiding it inside it's own UI)"... does that mean the Mandrill webhooks settings is extracting the basic auth from the url and showing it in some other UI fields? (Does it have a separate place for webhook username/password?) I'd like to clarify Anymail's docs if that's how Mandrill handles webhook basic auth. If you could let me know the exact labels for things in the Mandrill webhook page -- or post a screenshot (empty webhooks form or sensitive data removed) -- that would be really helpful. Thanks. |
hey, current mandrill form to add a webhook: https://www.dropbox.com/s/ec96qromh6rne76/Screenshot%202017-01-24%2007.50.15.png?dl=0 and this is the display. looks like they altered it. when we talked here, the auth data was not reflected by the status display url. btw. you are the first ever open source maintainer which reflected a ticket and came back to me with the goal to make his great library even better... |
Thanks, looks like Mandrill has renamed a couple of things since the last time I saw that screen. I'll update the docs. I really appreciate all the effort you put into researching this issue. It's been tricky maintaining support for Mandrill without access to their API, and it would be absolutely impossible without the help of users like you. |
I'm working with them every single day. ping me whenever you need any insights... |
dear, Im getting
Mandrill webhook called with incorrect signature
error with aBad Request
response towards mandrill.Sentry logs say about the err location:
I triple checked my webhook and api key. my total settings look like this:
what else should I check to investigate the failure?
The text was updated successfully, but these errors were encountered: