Creating a serverless bot that will handle Webhook messages, but I’m unable to verify messages, real responses or via Twitch CLI.
I’m following the Node example so closely but I still can’t get a signature to match and validate.
Can anyone tell me where I’m going wrong?
Code: GitHub
const signature = request.headers.get('Twitch-Eventsub-Message-Signature').toLowerCase();
const timestamp = request.headers.get('Twitch-Eventsub-Message-Timestamp').toLowerCase();
const messageId = request.headers.get('Twitch-Eventsub-Message-Id').toLowerCase();
const messageType = request.headers.get('Twitch-Eventsub-Message-Type').toLowerCase();
const body = await request.text();
const message = messageId + timestamp + body;
const hmac = 'sha256=' + crypto.createHmac('sha256', process.env.TWITCH_WEBHOOK_SECRET).update(message).digest('hex');
const verifyHmac = crypto.timingSafeEqual(Buffer.from(hmac), Buffer.from(signature));
if (verifyHmac) {
context.info("Message verified");
//...
} else {
//...
}
I’ve got no errors creating the HMAC but they don’t match and I’m not sure where the mismatch is going wrong.
- double triple quadruple checked that the secret matches and with various secrets