cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
What’s new: end-to-end encryption, Replay and Dash updates. Find out more about these updates, new features and more here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

X-Dropbox-Signature not matching

Labels:

X-Dropbox-Signature not matching

Davidg315
Explorer | Level 4
‎03-06-2017 05:45 AM

I am currently testing the webhook and am successfully receiving change notifications, however, the X-Dropbox-Signature doesn't match my calculation during message validation.

 

To find a solution I have tried comparing my results to the results using the python code example in the Webhooks tutorial as well as the java example in github.  All three of my generated signatures are the same and they don't match the one in the X-Dropbox-Signature header value.

 

I am using my application's secret key to create the secret key and using hmacSHA256 as the algorithm to encrypt the body of the request.

 

Any help would be much appreciated.  

Labels:
  • 0 Likes
  • 4 Replies
  • 2,248 Views
0 Likes
4 Replies 4

Greg-DB
Dropbox Staff
‎03-06-2017 10:32 AM

Hi David, I put together this test based on real values for an app I tried this with:

 

import hmac

from hashlib import sha256

# copied from App Console: (now revoked, so it's safe to share this as a sample)
APP_SECRET = 'prozr59vkis4454'
print(APP_SECRET)

# received as X-Dropbox-Signature header in a webhook notification:
signature = 'aa2508fb90b757aa382edb0815c7f7df0ce1943c53f28fae96e1dc9eb7f677b1'
print(signature)

# received as body of webhook notification:
body = '{"list_folder": {"accounts": ["dbid:AABL4QRrY7tB9viLgPUqmjkzE6Fe5ujlnlE"]}, "delta": {"users": [22575230]}}'
print(body)

expected_signature = hmac.new(APP_SECRET, body, sha256).hexdigest()
print(expected_signature)

print(hmac.compare_digest(signature, expected_signature))

That gave me:

 

prozr59vkis4454
aa2508fb90b757aa382edb0815c7f7df0ce1943c53f28fae96e1dc9eb7f677b1
{"list_folder": {"accounts": ["dbid:AABL4QRrY7tB9viLgPUqmjkzE6Fe5ujlnlE"]}, "delta": {"users": [22575230]}}
aa2508fb90b757aa382edb0815c7f7df0ce1943c53f28fae96e1dc9eb7f677b1
True

 

The comparison returned True for me, so it appears to be working as expected. 

 

Please use these values to check your implementation(s). If your implementations produce the same value, then the issue is likely with the input data being supplied to hmac.new. In that case, make sure your web framework is passing along the raw webhook notification body. Any slight change, e.g., even an extra added new line at the end, would change the calculation.)

 

 

Davidg315
Explorer | Level 4
‎03-06-2017 06:57 PM

Thanks.  The code I am using returned the result you got.  So I will review the message body of the request to make sure I am getting a raw result.

0 Likes

Davidg315
Explorer | Level 4
‎03-07-2017 07:47 AM

Greg, thanks for the tip, it works.  The issue was that I was using the Play! Framework and was automatically parsing the body into JSON and then turning it into a string, which eliminated the spaces in the body.  I changed the Action to use a text parser instead of a JSON parser and all worked perfectly.  Thank you so much for the help.

0 Likes

Greg-DB
Dropbox Staff
‎03-07-2017 08:27 AM
Excellent, I'm glad to hear this is sorted out. Let us know if you run in to any other issues.
0 Likes
Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    Davidg315 Explorer | Level 4
What do Dropbox user levels mean?