Trello Webhook Verification

PavelGrigorov · December 17, 2021, 2:17pm

Hello!
I am having trouble verifying Webhooks from Trello in Python. (I am aware of this post https://community.atlassian.com/t5/Trello-questions/Trello-API-Trello-webhook-signatures-and-Python/qaq-p/743801)
The solution given in this post does not work. Neither does any combination of hashing, encoding and concatenating that I have tried.
The official documentation also states The hashed content should be the binary representation of the concatenation of the full request body and the callbackURL exactly as it was provided during webhook creation.
I have tried different conversions to binary, with different byte lengths and delimiters, yet still no match.

Could somebody please give a comprehensive step-by-step example of how exactly to handle the information received through the webhook?

bill2 · September 28, 2023, 12:05am

The Trello example is wrong. You cannot JSON.stringify a request body as it returns an empty object. Instead, use request.text(). https://developer.atlassian.com/cloud/trello/guides/rest-api/webhooks/

async function verifyTrelloWebhookRequest(request: Request, secret: string, callbackURL: string) {
	const base64Digest = function(s: string) {
		return crypto.createHmac("sha1", secret).update(s).digest("base64");
	};

	const content = (await request.text()) + callbackURL;
	const doubleHash = base64Digest(content);
	const headerHash = request.headers.get("x-trello-webhook");

	return doubleHash === headerHash;
}