I'm attempting to connect to a webhook sent from the Deposco WMS software's webhook. I worked with Celigo Developer Katie Thorpe who had the following to say:
"
The Deposco team provided the below as how they encrypt and decrypt data. But we were able to send the exact same retry data to the webhook using Postman. Essentially something about how they encrypt and decrypt seems to be handled slightly differently than how Celigo natively does so.
We were using Hexadecimal for the HMAC Encoding on the Webhook, which their documentation and the logic below seems to support.
@jackharris I played around a bit and ended on a python script like this that worked. For starters, webhooks don't accept plain text so you would need to send JSON or XML. The second thing I found is sorting the keys of the body is needed and without sorting the keys, it fails.
Here is a JavaScript pre-request script that does the same in Postman and works:
// Define the secret key and JSON payload
const secretKey = ‘50qaL883baRa5kgg’; // Replace with your actual secret key
const requestBody = {
“event”: “order.created”,
“order_id”: “12345”,
“amount”: 100.50
};
// Convert JSON payload to a compact string with sorted keys
const dataStr = JSON.stringify(requestBody, Object.keys(requestBody).sort());
// Utility function for HMAC SHA-256 calculation with explicit UTF-8 encoding
function generateHMAC(key, message) {
var hash = CryptoJS.HmacSHA256(CryptoJS.enc.Utf8.parse(message), CryptoJS.enc.Utf8.parse(key));
return CryptoJS.enc.Hex.stringify(hash);
}
// Generate the HMAC for the request body
const hmac = generateHMAC(secretKey, dataStr);
// Set the generated HMAC as a header
pm.request.headers.add({
key: ‘X-MY-HMAC’,
value: hmac
});
// Set the JSON payload as the body of the request
pm.request.body.raw = dataStr;
@jackharris I checked this out a little more and I think Deposco isn't generating the HMAC correctly. They need to make sure that the body being sent is the same as the body being put into generating the HMAC. Issues occur when tabs/whitespaces are removed from the body, but not from when generating the HMAC or vice versus.
For example, if they send the below in the body,
{
“test”: 1
}
but send
{“test”:1}
in the body of HMAC generation, then the signature will not match.
To ensure proper formatting, they should generate like this:
Convert JSON payload to a compact string with sorted keys
@jackharris I reviewed the ticket and tested it myself and it looks like Deposco isn't even sending the HMAC header. I'll leave this for the support ticket at this point.
For the sake of anyone else attempting to connect to the Deposco WMS software's webhook, the solution was to use a Secret URL instead of an HMAC connection because, for whatever reason, the HMAC is not included in Deposco's header to Celigo.
