Wrike Secure Webhooks Returns Invalid Parameter

6 commenti

  • Spot On! ๐Ÿ‘ Innovative Approach ๐Ÿ’ก Stellar Advice ๐Ÿ’ช
    Avatar
    Lisa

    Hi Russell, welcome to the Community and thanks for reaching out ๐Ÿ™‚

    I'm going to raise a Support ticket for you now so that someone from the team could help you with this. You'll get a notification soon ๐Ÿ™Œ

    Lisa Community Team at Wrike ๐ŸŒŽDiscover... Wrike Discover and become a Wrike expert. Click here to get started

    Is this helpful? 0
    Azioni per commenti Permalink
  • Spot On! ๐Ÿ‘ Innovative Approach ๐Ÿ’ก Stellar Advice ๐Ÿ’ช
    Avatar
    Luka Defar

    Has this been resolved? I'm getting the same error as described above when trying to set up a hook with a secret

    Is this helpful? 1
    Azioni per commenti Permalink
  • Spot On! ๐Ÿ‘ Innovative Approach ๐Ÿ’ก Stellar Advice ๐Ÿ’ช
    Avatar
    Ben Zenker

    I am also getting the same error and wondering if this is an error on my side, or on Wrike's server.

    Is this helpful? 0
    Azioni per commenti Permalink
  • Spot On! ๐Ÿ‘ Innovative Approach ๐Ÿ’ก Stellar Advice ๐Ÿ’ช
    Avatar
    Russell Wilkie

    (Modificato )

    Just following up on this, but I was able to get this resolved after getting in touch with the Wrike support team. There wasn't any additional information I had to work with that wasn't in the documentation other than this extra step they provided:

    All further events from this webhook will contain theย X-Hook-Secretย header with value hmacSha256(key:ย secret, value: request body), so the client can check authenticity of the events.

    In case of a handshake failure, Wrike responds to client with HTTP status = 400 and "error": "invalid_parameter", "errorDescription": "Web hook url handshake failed".

    ย 

    The problem I ran into was primarily a fault of how I handled the handshake's creation. On my personal side of things I had to make sure:

    1. The hashed X-Hook-Secret header during initial creation was sent as a response
    2. Handshake registration was done through the payload url (Had a middleware used for this)
    3. Firewall settings allowed IP addresses in range: 160.19.162.0/24
    Is this helpful? 1
    Azioni per commenti Permalink
  • Spot On! ๐Ÿ‘ Innovative Approach ๐Ÿ’ก Stellar Advice ๐Ÿ’ช
    Avatar
    Ben Zenker

    Thank you Russell. Your tips helped me find my issue as well.

    For me, I was bypassing the handshake with an if-statement for all requests that had an empty req.body, but I used poor logic in the if-statement.

    Now I am struggling to achieve a match between the hashed body and the X-Hook-Secret on all non-handshake POST requests.

    const hashAttempt = req.get('X-Hook-Secret')
    console.log(hashAttempt)
    const hashedMessage = hmacSha256(JSON.stringify(req.body), process.env.HOOK_SECRET)
    console.log(hashedMessage.toString())

    > f3907d9a7ba1207a7cbe8cabcc9c3f8da3e361d65124b6af29cf74b57b8d0a38
    > 11fc11d4474eb39a257b08ff6487904f905a97a1c6a9c642f669b7bb46578c68

    Where HOOK_SECRET is the same secret that was used to respond to the secure webhook registration.

    Have you gotten a match on your end?

    Is this helpful? 0
    Azioni per commenti Permalink
  • Spot On! ๐Ÿ‘ Innovative Approach ๐Ÿ’ก Stellar Advice ๐Ÿ’ช
    Avatar
    Ben Zenker

    The solution to my problem was to decode the request body to text manually, instead of depending on a library.

    ย 

    Using this plain-text string of the request body gave me a matching hmacSha256 hash.

    Is this helpful? 0
    Azioni per commenti Permalink

Accedi per aggiungere un commento.

Folllowing List for Post: Wrike Secure Webhooks Returns Invalid Parameter
[this list is visible for admins and agents only]

Community

Welcome ๐Ÿ––

Hi there! ๐Ÿ™‚ Want to become a black belt Wrike Ninja? Here's how to earn a Wrike badge

Welcome ๐Ÿ–– Have you checked out this week's Release Notes yet?

Hey! ๐Ÿ‘‹ Curious about something? Visit How To to search and ask the Community for answers.

Welcome! ๐Ÿ‘‹ Figured out a good tip or trick? Share it in Best Practices.

Want to connect your existing software to Wrike? Learn and ask how in the API section.