Help

Save the date! Join us on October 16 for our Product Ops launch event. Register here.

Webhook MAC signature on Cloudflare Workers

1467 3
cancel
Showing results for 
Search instead for 
Did you mean: 
Cerulean-
4 - Data Explorer
4 - Data Explorer

Hey all,

Been trying to implement Airtable webhooks for our company however i've ran into a slight problem with the signature of the webhook itself. No matter how I move things around, encode or decode, it refuses to match the signature provided by Airtable.

The code below generates a HMAC but doesnt match the one provided by Airtable. I cant use the Crypto module since thats Node only which sucks. Is there any secret sauce that im missing from this code? All the docs say is to just decode the base64, shove it into 

Code below:

const decodedMacSecret = atob(webhookConfig.macSecretBase64);

const encoder = new TextEncoder();
const data = encoder.encode(bodyText);

const hmacKey = await crypto.subtle.importKey(
  'raw',
  encoder.encode(decodedMacSecret),
  {
    name: 'HMAC',
    hash: { name: 'SHA-256' },
  },
  false,
  ['sign']
);

const hmac = await crypto.subtle.sign(
  'HMAC',
  hmacKey,
  data
);

const expectedContentHmac = 'hmac-sha256=' + Array.prototype.map.call(new Uint8Array(hmac), x => ('00' + x.toString(16)).slice(-2)).join('');
3 Replies 3

So that I’m understanding correctly - are you referring to an Airtable Automation webhook trigger? If so, they accept a JSON body without nested objects. I use the app Postman when testing and setting them up. 

Andres_at_Conne
7 - App Architect
7 - App Architect

@Cerulean- have you solved this?  We can help

masiley
4 - Data Explorer
4 - Data Explorer

Hi,

I am having an issue to match the airtable-content-mac from the header with the one a computed.

const decodedMacSecret = atob('macSecretBase64'); //macSecretBase64 from create webhook
const body = `{
  "base": {
    "id": "appjRdIX59U4YEy4l"
  },
  "webhook": {
    "id": "achXH94CxHYGdUcje"
  },
  "timestamp": "2024-03-06T00:32:58.992Z"
}`

const hmac = createHmac('sha256', decodedMacSecret);
console.log(body)
hmac.update(body.toString(), 'ascii'); // I also tried JSON.stringify(body); 
console.log('received header: hmac-sha256=0fb79298bc57a45a34ca1d04f5237fd4a9a9223fd5c90cc04f35d3c3890180cc');
console.log('computed:        hmac-sha256=' + hmac.digest('hex'));

Thanks