validateMessageIntegrity method doesn't use the payload body

[toddheslin]

I've noticed that when creating the hash here:

fb-messenger-bot-api/src/validation/ValidateWebhook.ts

Line 79 in 5a2c6be

const authenticationCode = createHmac(xHubSignatureValueParts[0], fbApplicationSecret).digest('hex');

You aren't updating with the payload body. Are you using this successfully in production for an older version of the API? The current API version requires using the payload to verify the request:

To validate the payload:

1. Generate a SHA1 signature using the payload and your app's App Secret.
2. Compare your signature to the signature in the X-Hub-Signature header (everything after sha1=). If the signatures match, the payload is genuine.

https://developers.facebook.com/docs/graph-api/webhooks/getting-started#verification-requests

[crisboarna]

You are correct, good catch, using wrong entity for sha creation. Will release a fix for this tomorrow :)

[toddheslin]

I'm not sure if there is a great way of creating the payload buffer in a framework agnostic way. There is the express way: https://github.com/expressjs/body-parser#bodyparserrawoptions

But I use Fastify as a framework so I'd like the option of either just passing in the buffer (not actually supported in Fastify without a few tricks...yet), or perhaps just passing in the body object which could be turned back into a buffer for the check. I doubt this is the most performant way but not sure if it's really a big deal.

Probably the only thing I'd urge against is making any assumptions on the framework. :-)