Should become, not the lack of a :443 as https defaults to 443 and specifying a port is likely the issue. Or the fact you are using your clientSecret as a shared secret.
DO NOT USE YOUR CLIENT SECRET AS THE TRANSPORT SECRET
Use a random string of stuff
See
The secret is a string between 10 and 100 characters that your application will define and send to Twitch in the subscription creation process. As a result, this secret should not be your Client Secret or Extension secret.
Okay, I tried using server from your github and I don’t know what I’ve done bad.
app.use(express.json({
verify: function(req, res, buf, encoding) {
// is there a hub to verify against
req.twitch_eventsub = false;
if (req.headers && req.headers.hasOwnProperty('twitch-eventsub-message-signature')) {
req.twitch_eventsub = true;
// id for dedupe
let id = req.headers['twitch-eventsub-message-id'];
// check age
let timestamp = req.headers['twitch-eventsub-message-timestamp'];
// extract algo and signature for comparison
let [ algo, signature ] = req.headers['twitch-eventsub-message-signature'].split('=');
// you could do
// req.twitch_hex = crypto.createHmac(algo, config.hook_secret)
// but we know Twitch should always use sha256
req.twitch_hex = crypto.createHmac('sha256', rString)
.update(id + timestamp + buf)
.digest('hex');
req.twitch_signature = signature;
if (req.twitch_signature != req.twitch_hex) {
console.error('Signature Mismatch');
} else {
console.log('Signature OK');
}
}
}
}));
app.post('/webhooks/callback', async (req, res) => {
if (req.twitch_eventsub) {
if (req.headers['twitch-eventsub-message-type'] == 'webhook_callback_verification') {
if (req.body.hasOwnProperty('challenge')) {
if (req.twitch_hex == req.twitch_signature) {
console.log('Got a challenge, return the challenge');
res.send(encodeURIComponent(req.body.challenge));
return;
}
}
res.status(403).send('Denied');
} else if (req.headers['twitch-eventsub-message-type'] == 'revocation') {
res.send('Ok');
} else if (req.headers['twitch-eventsub-message-type'] == 'notification') {
if (req.twitch_hex == req.twitch_signature) {
console.log('The signature matched');
res.send('Ok');
// you can do whatever you want with the data
// it's in req.body
} else {
console.log('The Signature did not match');
res.send('Ok');
}
} else {
console.log('Invalid hook sent to me');
res.send('Ok');
}
} else {
console.log('It didn\'t seem to be a Twitch Hook');
res.send('Ok');
}
. . .
Did you check all the webhooks/entries in the Get EventSub Subscriptions endpoint? Reference | Twitch Developers as a “dead/invalid/broken” entry will sit in the lsit for about 10 days.
So you might only be looking at page 1 of results from this endpoint and need to check other pages if a cursor is present?
Also note, every time you restart ngrok it’ll assign a new URL (on the free plant at least)