How to use the "hub.secret" with web hooks?

Thanks for the code samples! Ya’ll helped me figure out what I was missing. I was missing the hex encoding at the end.

Here’s what I wrote for this. It’s a C# AspNet Web API authorization filter, which is the same concept as an ExpressJS middleware, etc, except that it runs explicitly as part of the authentication / authorization pipeline. This action filter looks for the twitch-provided hash header and allows or rejects the request …

public class TwitchSecretAuthorizationAttribute : AuthorizeAttribute
{
    #region Methods

    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        IEnumerable<string> headers;

        // if there is no secret header, we can reject right away
        if (actionContext.Request.Headers.TryGetValues("x-hub-signature", out headers) == false)
        {
            return false;
        }

        var header = headers.Single();

        // we will need to compare the provided hash with the hash that we
        // generate, using our secret
        var providedHash = header.Split('=').Last();

        // we need to convert our secret text to a byte array prior to
        // being used the hmac key
        var secretArray = Encoding.ASCII.GetBytes(PersistantRuntimeData.Guid);

        using (var hmac = new HMACSHA256(secretArray))
        {
            // we need to use the request body as the hash payload
            var body = actionContext.Request.Content.ReadAsStringAsync().Result;

            // now we can generate the resulting hash
            var result = hmac.ComputeHash(Encoding.ASCII.GetBytes(body));

            var stringed = BitConverter.ToString(result).Replace("-", "").ToLower();

            // we are authorized if both of the hashes match
            return providedHash.Equals(stringed, StringComparison.OrdinalIgnoreCase);
        }
    }

    #endregion
}
3 Likes