Verify Webhock event came from netatmo

The Netatmo API is a set of webservices allowing developers and third parties to access Netatmo device's data.
Post Reply
SwedishCoder
Posts: 1
Joined: 13 Jul 2020, 14:20

Verify Webhock event came from netatmo

Post by SwedishCoder »

We plan to integrate Netatmo, but for that we need a reliable way to test if the request came from Netatmo.
Is there a way to verify that the Webhock request came from Netatmo?
So far I have found one reference of [X-Netatmo-Secret] in the header whilst searching for this, but zero references on how this signature is calculated.
I am assuming this is using SHA256 to hash a secret using a combination of other header attributes as well as the client id/secret, but I have found absolutely nothing regarding this?

Could anyone elaborate if this is actually sent in the headers, and if so how it can be verified?
mcflyyy
Posts: 3
Joined: 25 Jul 2019, 20:43

Re: Verify Webhock event came from netatmo

Post by mcflyyy »

Hello,

Is it possible to have an answer from the developer team please ?

I have the same problem on my webhook server ( camera detection ), i receive an header with this data :
'x-netatmo-secret':
'*************************************45495b82d66848589023108c5',
'user-agent': 'NetatmoWebhookServer/1.0',
'content-length': '650'

I try compare the hash SHA256 on request.body but the lengh doesn't match.

Can you explain what content-length represent ? Is it the lenth of the message body ?

This is my code in nodejs :


var payload = JSON.stringify(req.body);
var hmac = crypto.createHmac('sha256', client_secret application)

//passing the data to be hashed'
data = hmac.update(payload);

//Creating the hmac in the required format
gen_hmac= data.digest('hex');

//Printing the output on the console
console.log("hmac : " + gen_hmac);

=> FAIL ... I think i have a problem with the conversion of request.body to string ( JSON.stringify ) - the length doesn't match with content length.

Can you give us the documentation of NetatmoWebhookServer/1.0 ?

Thank in advance !
Xavier.
mcflyyy
Posts: 3
Joined: 25 Jul 2019, 20:43

Re: Verify Webhock event came from netatmo

Post by mcflyyy »

Hello,

You will find the explanations below:

You have effectively received the HMAC key generated by Netatmo in the headers.

"x-netatmo-secret":"19cafe36e8ef5379aacd04cc4***************************"

To verify this key, you need to calculate the hmac from the request body.

There is however a trick, if you are using php to create your webhoob, you can go to the following sources: https://github.com/Netatmo/Netatmo-API- ... xample.php

If you are using nodeJS you must absolutely read the request.body in TEXT format !!!!
This requires an express server configuration:
https://stackoverflow.com/questions/654 ... e-urlhttps

After that you can calculate the key with the following code :

let stra = request.body;
var str = JSON.stringify (stra);

var buf1 = crypto.createHmac ('sha256', 'CLIENT SECRET KEY FROM NETATMO APP'). update (stra);
var hmackey = buf1.digest ('hex');

Then you can compare the generated key with netatmo value...


@NETATMO -> Please document your API correctly !!!!!!!!!!!!!!!!!!!!!!
Post Reply

Return to “Netatmo API”