DocuSign Connect Webhook调用不包含HMAC标头x-docusign-signature

本文介绍了DocuSign Connect Webhook调用不包含HMAC标头x-docusign-signature的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

在我的帐户中，我创建了一个Connect webhook配置。我添加了一个密钥，还选中了包括HMAC签名复选框。

In my account, I created a Connect webhook configuration. I added a secret key and also checked the Include HMAC signature checkbox.

在我签名信封后，DocuSign Connect调用了我的API。

After I signed an envelope, DocuSign Connect called my API.

它发送了成功的请求正文但未发送预期的请求标头x-docusign-signature 。

It sent a successful request body but it did not send the expected request header x-docusign-signature.

参考：Connect

Reference: the Connect HMAC configuration page

我从DocuSign connect获得了以下请求标头。

I got following request header from DocuSign connect.

{host=[qa.****.com], 
 content-type=[text/xml; charset=utf-8], 
 expect=[100-continue], max-forwards=[9], 
 x-forwarded-proto=[https], 
 x-forwarded-port=[443], 
 x-original-host=[qa.****.com], 
 x-original-url=[/****/v1/docusign/webhook/1177/4305], 
 x-forwarded-for=[162.248.186.11:58652, 10.3.0.5], 
 x-arr-ssl=[2048|256|C=US, S=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2|OU=Domain Control Validated, CN=qa.cloudlex.com], 
 x-arr-log-id=[06ca1160-b70c-41d9-8e8c-6e018983ad94], 
 x-forwarded-host=[qa.****.com], 
 x-forwarded-server=[qa.****.com], 
 connection=[Keep-Alive], content-length=[2184]
}

谢谢您的帮助。

推荐答案

当前，有关HMAC身份验证的文档具有严重的误导性，因为它表明您只需在站点的admin部分启用它即可。

Currently, the documentation on HMAC authentication is seriously misleading as it suggests you simply enable it in the admin part of the site.

发送邮件时，您还需要在信封的EventNotification部分中设置 IncludeHMAC设置。

You will also need to set the 'IncludeHMAC' setting in the EventNotification part of the envelope when you send it.

此代码基于C＃DocuSign客户端，但同样适用于其他语言。

This code is based on the C# DocuSign Client but should be equally applicable to other languages.

public EventNotification BuildEventNotifications(string callbackUrl)
{
    return new EventNotification
    {
        IncludeEnvelopeVoidReason = "true",
        EnvelopeEvents = new List<EnvelopeEvent>
        {
            new EnvelopeEvent("sent", "false"),
            new EnvelopeEvent("delivered", "false"), // When opened
            new EnvelopeEvent("completed", "true"), // When signed 
            new EnvelopeEvent("declined", "false"),
            new EnvelopeEvent("voided", "false")
        },
        Url = callbackUrl,
        LoggingEnabled = "true",
        IncludeHMAC = "true",
        IncludeDocuments = "false",
        RequireAcknowledgment = "true",
        RecipientEvents = new List<RecipientEvent>
        {
            new RecipientEvent("false", "Sent"),
            new RecipientEvent("false", "Delivered"),
            new RecipientEvent("true", "Completed"),
            new RecipientEvent("false", "Declined")
        }
    };
}

这是一个如何在Api端验证其HMAC签名的示例。 Web Api / .NET Core中的示例，但应易于转换为Java或您选择的框架。

This is an example of how to authenticate their HMAC signature on the Api side. Example in Web Api / .NET Core but should be easy to translate into Java or the framework of your choice.

public class HMACAuthorization : Attribute, IAuthorizationFilter
    {
        public void OnAuthorization(AuthorizationFilterContext context)
        {
            string xmlBody;

            context.HttpContext.Request.Body.Seek(0, SeekOrigin.Begin);
            using (var reader = new StreamReader(context.HttpContext.Request.Body, Encoding.UTF8, true, 1024, true))
            {
                xmlBody = reader.ReadToEnd();
            }

            context.HttpContext.Request.Headers.TryGetValue("X-DocuSign-Signature-1", out var hmacSignature);

            if (!HmacIsValid(ConfigurationSettings.DocuSignHMACKey, xmlBody, hmacSignature)) context.Result = new UnauthorizedResult();
        }

        private static bool HmacIsValid(string hmacKey, string body, string hmacSignature)
        {
            var computedHmac = BuildHmacHash(hmacKey, body);

            var hmacIsValid = computedHmac == hmacSignature;

            return hmacIsValid;
        }

        private static string BuildHmacHash(string hmacKey, string body)
        {
            string hash;

            using (var sha = new HMACSHA256(Encoding.UTF8.GetBytes(hmacKey)))
            {
                hash = Convert.ToBase64String(sha.ComputeHash(Encoding.UTF8.GetBytes(body)));
            }

            return hash;
        }
    }

如果您在.NET Core中使用示例/ Web Api，您将需要在Http请求正文上启用回滚。您可以使用此中间件来实现此功能。

If you're utilising the example in .NET Core / Web Api you will need to enable rewinds on the Http request body. You can implement this functionality using this bit of middleware.

public class EnableRequestRewindMiddleware
{
    private readonly RequestDelegate _next;

    public EnableRequestRewindMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext context)
    {
        context.Request.EnableRewind();
        await _next(context);
    }
}

app.UseMiddleware<EnableRequestRewindMiddleware>();

这篇关于DocuSign Connect Webhook调用不包含HMAC标头x-docusign-signature的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！