EventSub Webhook - Unable to verify any messages

Creating a serverless bot that will handle Webhook messages, but I’m unable to verify messages, real responses or via Twitch CLI.

I’m following the Node example so closely but I still can’t get a signature to match and validate.

Can anyone tell me where I’m going wrong?

Code: GitHub

const signature = request.headers.get('Twitch-Eventsub-Message-Signature').toLowerCase();
const timestamp = request.headers.get('Twitch-Eventsub-Message-Timestamp').toLowerCase();
const messageId = request.headers.get('Twitch-Eventsub-Message-Id').toLowerCase();
const messageType = request.headers.get('Twitch-Eventsub-Message-Type').toLowerCase();
const body = await request.text();

const message = messageId + timestamp + body;
const hmac = 'sha256=' + crypto.createHmac('sha256', process.env.TWITCH_WEBHOOK_SECRET).update(message).digest('hex');

const verifyHmac = crypto.timingSafeEqual(Buffer.from(hmac), Buffer.from(signature));

if (verifyHmac) {
    context.info("Message verified");
    //...
} else {
    //...
}

I’ve got no errors creating the HMAC but they don’t match and I’m not sure where the mismatch is going wrong.

  • double triple quadruple checked that the secret matches and with various secrets

Line 16

You use .text which is an intrpeted output not the raw buffer.

Since this is azure you need to use whatever thing is needed to get the RAW input not an interpreted/processed POST body input

Thank you. They’ve updated Azure Functions relatively recently and will have to figure out how to get it with the removal of being able to just call request.rawBody()

But thank you. Figured I’d open it up to see if I was making a mistake I overlooked.