Cannot authenticate webhooks

[wcerfgba]

Hello,

I have implemented a webhook handler for Enrichment requests in our API codebase, but I am having trouble getting the signature to verify correctly.

I have captured the following request body:

{"id":"db759484-a624-4861-ba27-a2976552e4b4","body":{"person":null,"company":{"id":"a504a1d3-fe1e-472e-9550-d6044f5701ed","name":"Commsor","legalName":null,"domain":"commsor.com","domainAliases":["commsponsor.com"],"site":{"phoneNumbers":[],"emailAddresses":[]},"category":{"sector":null,"industryGroup":null,"industry":null,"subIndustry":null,"sicCode":null,"naicsCode":null},"tags":[],"description":"Commsor
is built by community leaders, for community leaders. That's why we're
creating community-first tools to help you build a better community to
drive customer acquisition, support, retention and
more.","foundedYear":null,"location":"New York, NY,
USA","timeZone":"America/New_York","utcOffset":-4,"geo":{"streetNumber":null,"streetName":null,"subPremise":null,"city":"New
York","postalCode":null,"state":"New
York","stateCode":"NY","country":"United
States","countryCode":"US","lat":40.7127753,"lng":-74.0059728},"logo":"https://logo.clearbit.com/commsor.com","facebook":{"handle":null,"likes":null},"linkedin":{"handle":null},"twitter":{"handle":"Commsor","id":"1108749588142403585","bio":"We
share best practices, tips \u0026 news for community building.
Building software for community managers of all sizes. Tweets by
@j__cub and @theteaguns","followers":186,"following":104,"location":"Remote
🌠","site":"https://t.co/W9FmnErtug","avatar":"https://pbs.twimg.com/profile_images/1215612169569677312/7IwpaveX_normal.jpg"},"crunchbase":{"handle":null},"emailProvider":false,"type":"personal","ticker":null,"identifiers":{"usEIN":null},"phone":null,"metrics":{"alexaUsRank":null,"alexaGlobalRank":1078614,"employees":null,"employeesRange":null,"marketCap":null,"raised":null,"annualRevenue":null,"estimatedAnnualRevenue":null,"fiscalYearEnd":null},"indexedAt":"2020-03-15T11:15:53.949Z","tech":["google_apps","aws_route_53"],"techCategories":["productivity","dns"],"parent":{"domain":null},"ultimateParent":{"domain":null}}},"status":200,"type":"person_company"}

which had the following X-Request-Signature header:

sha1=1f03b7a668a5080a231f6cce7dd2c9882e3a0d57

I have tried to parse this using the WebhookResponseParser class in this clearbit-java library, but I receive the 'bad hmac-sha1 signature' ApiException. I have also tried to calculate the signature by reimplementing the logic in the Java and Ruby libraries using our own crypto libraries but have not managed to generate the correct HMAC.

Thanks
John Preston
Engineer
Commsor

[stpe]

@wcerfgba Did you ever find a solution?

[wcerfgba]

@stpe Yes! The issue is this line: https://github.com/clearbit/clearbit-java/blob/master/src/main/java/com/clearbit/client/api/WebhookResponseParser.java#L76

The zero-argument version of String.getBytes uses the platform's default charset [1], which was 'US-ASCII' for us, which caused decode of payloads containing Unicode characters to fail. We fixed this by setting our LANG to en_US.UTF-8, which changed the JVM default charset to UTF-8.

Ideally this lib should be updated to specify the charset in the call to getBytes, but since the last commit was in 2018 and I never had a response to this issue, I assume Clearbit developers are not monitoring this repo. You could email support@clearbit.com . :)

[1] https://docs.oracle.com/javase/8/docs/api/java/lang/String.html#getBytes--

[harlow]

@wcerfgba thanks or the follow up. Would be happy to get this fix merged in.