We plan to integrate Netatmo, but for that we need a reliable way to test if the request came from Netatmo.
Is there a way to verify that the Webhock request came from Netatmo?
So far I have found one reference of [X-Netatmo-Secret] in the header whilst searching for this, but zero references on how this signature is calculated.
I am assuming this is using SHA256 to hash a secret using a combination of other header attributes as well as the client id/secret, but I have found absolutely nothing regarding this?
Could anyone elaborate if this is actually sent in the headers, and if so how it can be verified?
Verify Webhock event came from netatmo
Re: Verify Webhock event came from netatmo
Hello,
Is it possible to have an answer from the developer team please ?
I have the same problem on my webhook server ( camera detection ), i receive an header with this data :
'x-netatmo-secret':
'*************************************45495b82d66848589023108c5',
'user-agent': 'NetatmoWebhookServer/1.0',
'content-length': '650'
I try compare the hash SHA256 on request.body but the lengh doesn't match.
Can you explain what content-length represent ? Is it the lenth of the message body ?
This is my code in nodejs :
var payload = JSON.stringify(req.body);
var hmac = crypto.createHmac('sha256', client_secret application)
//passing the data to be hashed'
data = hmac.update(payload);
//Creating the hmac in the required format
gen_hmac= data.digest('hex');
//Printing the output on the console
console.log("hmac : " + gen_hmac);
=> FAIL ... I think i have a problem with the conversion of request.body to string ( JSON.stringify ) - the length doesn't match with content length.
Can you give us the documentation of NetatmoWebhookServer/1.0 ?
Thank in advance !
Xavier.
Is it possible to have an answer from the developer team please ?
I have the same problem on my webhook server ( camera detection ), i receive an header with this data :
'x-netatmo-secret':
'*************************************45495b82d66848589023108c5',
'user-agent': 'NetatmoWebhookServer/1.0',
'content-length': '650'
I try compare the hash SHA256 on request.body but the lengh doesn't match.
Can you explain what content-length represent ? Is it the lenth of the message body ?
This is my code in nodejs :
var payload = JSON.stringify(req.body);
var hmac = crypto.createHmac('sha256', client_secret application)
//passing the data to be hashed'
data = hmac.update(payload);
//Creating the hmac in the required format
gen_hmac= data.digest('hex');
//Printing the output on the console
console.log("hmac : " + gen_hmac);
=> FAIL ... I think i have a problem with the conversion of request.body to string ( JSON.stringify ) - the length doesn't match with content length.
Can you give us the documentation of NetatmoWebhookServer/1.0 ?
Thank in advance !
Xavier.
Re: Verify Webhock event came from netatmo
Hello,
You will find the explanations below:
You have effectively received the HMAC key generated by Netatmo in the headers.
"x-netatmo-secret":"19cafe36e8ef5379aacd04cc4***************************"
To verify this key, you need to calculate the hmac from the request body.
There is however a trick, if you are using php to create your webhoob, you can go to the following sources: https://github.com/Netatmo/Netatmo-API- ... xample.php
If you are using nodeJS you must absolutely read the request.body in TEXT format !!!!
This requires an express server configuration:
https://stackoverflow.com/questions/654 ... e-urlhttps
After that you can calculate the key with the following code :
let stra = request.body;
var str = JSON.stringify (stra);
var buf1 = crypto.createHmac ('sha256', 'CLIENT SECRET KEY FROM NETATMO APP'). update (stra);
var hmackey = buf1.digest ('hex');
Then you can compare the generated key with netatmo value...
@NETATMO -> Please document your API correctly !!!!!!!!!!!!!!!!!!!!!!
You will find the explanations below:
You have effectively received the HMAC key generated by Netatmo in the headers.
"x-netatmo-secret":"19cafe36e8ef5379aacd04cc4***************************"
To verify this key, you need to calculate the hmac from the request body.
There is however a trick, if you are using php to create your webhoob, you can go to the following sources: https://github.com/Netatmo/Netatmo-API- ... xample.php
If you are using nodeJS you must absolutely read the request.body in TEXT format !!!!
This requires an express server configuration:
https://stackoverflow.com/questions/654 ... e-urlhttps
After that you can calculate the key with the following code :
let stra = request.body;
var str = JSON.stringify (stra);
var buf1 = crypto.createHmac ('sha256', 'CLIENT SECRET KEY FROM NETATMO APP'). update (stra);
var hmackey = buf1.digest ('hex');
Then you can compare the generated key with netatmo value...
@NETATMO -> Please document your API correctly !!!!!!!!!!!!!!!!!!!!!!