Reputation: 2661
How to validate X-PLIVO-SIGNATURE
We are using plivo to send/receive SMS messages. We have a webhook configured to receive the messages sent by a customer. We want to validate if the request infact originated from plivo. Can anyone please tell me how to validate using the auth token we have?
Upvotes: 0
Views: 226
Answers (2)
Reputation: 61
It's a little bit tricky. There is an error in Plivo documentation. Or, you could see it as a bug in their implementation.
If you are using Ruby the code that you'll need, as explained by the documentation is:
Base64.encode64(OpenSSL::HMAC.digest("SHA256", "AUTH_TOKEN", "YOUR_CALLBACK_URL/REQUEST_HEADER_X-Plivo-Signature-V2-Nonce"))
But, this never works. You never get a match the hash with the x-plivo-signature-v2, right? I've also tried to use the Auth Key, instead of Auth Token. And every combination of those fields.
To make it work you must change your code to this version:
Base64.encode64(OpenSSL::HMAC.digest("SHA256", "AUTH_TOKEN", "YOUR_CALLBACK_URLREQUEST_HEADER_X-Plivo-Signature-V2-Nonce"))
Have you noticed the difference? Yep! Drop the slash between your callback URL and X-Plivo-Signature-V2-Nonce.
I verified it at the current implementation of Plivo SDK(4.3.2)
By the way, if you're insecure about where to find your AUTH_TOKEN and YOUR_CALLBACK_URL
AUTH_TOKEN: 
YOUR_CALLBACK_URL: 
Upvotes: 1
Reputation: 13031
The Plivo documentation here has a section about how to verify the signature of an incoming webhook request (it's using HMAC).
Upvotes: 1
Related Questions
- PDF Signature Validation
- How to validate SAML assertion signatures
- XML Signature Validation
- Verifying a signature chain SWI-Prolog
- Xero Failed to Validate Signature
- How to create a PloneFormGen validator for file types?
- verifying the signature of x509
- Xades4j verification enveloped signature
- Validating Signature element of XML fails against XSD
- XML Digital Signature validation