Xero signature failed on verification.

[taitran6879]

Hello, my name is Tai.

Based on the sample here I create an receiver for webhooks, using ngrok and dot net core 2.
After encode the payload with webhook key, i got the following generated signature:
BjzNbYUfrzg4g8wxm+dKHaZVrKxr2m75E296fUbD1E4=

But in the request of webhook, i have this signature as:
/jzNbYUfrzg4g8wxm+dKHaZVrKxr2m75E296fUbD1E4=

Here's the full payload body:
`POST /webhooks HTTP/1.1
Host: 3099768b.ngrok.io
Accept: /
Accept-Encoding: gzip,deflate
Content-Type: application/json; charset=utf-8
x-xero-signature: /jzNbYUfrzg4g8wxm+dKHaZVrKxr2m75E296fUbD1E4=
Content-Length: 95
X-Forwarded-Proto: https
X-Forwarded-For: 34.233.225.118

{"events":[],"firstEventSequence": 0,"lastEventSequence": 0, "entropy": "LUWDSUDGSWNZVALZXBEV"}`

Here's the code for generating signature with given webhooks key:

public bool VerifySignature(string payload, string signatureHeader)
        {
            var generatedSignature = GenerateSignature(
                "LR+QgKlbRciIPYpi65tTKLaZ3FzLLofCNEQWrRXqWXJeDFrfexzfVI9SmnVuCWDJ4jnjHB9ECtOyxZSofRxwWw==",
                payload);

            return generatedSignature == signatureHeader;
        }

        public string GenerateSignature(string signingKey, string dataToHash)
        {
            using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(signingKey)))
            {
                var messageBytes = Encoding.UTF8.GetBytes(dataToHash);
                var hash = hmac.ComputeHash(messageBytes);
                return Convert.ToBase64String(hash);
            }
        }

Please help me to check whether i'm doing wrong or something, why the generated signature and the x-xero-signature only different in 1 character ? It works fine for me last week : (. Thanks!

[AllenDigital]

I have the same issue. The signature is out by 1 character compared to the hash result.

[AllenDigital]

I believe this is the answer:

https://community.xero.com/developer/discussion/64820912

Xero on the initial ITR will send some signatures that are correct and some that are incorrect. If you also return a body the ITR will fail.

[taitran6879]

@AllenDigital wow, I didn't expect to have an answer here. Thanks!
So, the ITR has a chance sending incorrect signature, I'm i right ?

[AllenDigital]

Correct. They send an incorrect ITR first and check that you respond with a 401 and no body within 5 seconds. If that happens correctly, they will send a correctly signed header for which you must again respond in 5 seconds with no body and a 200. They are testing to make sure you implemented the ITR correctly before sending correctly signed requests.

[taitran6879]

Wow, thanks for the clarification. Never thought of this double check approach, which caused me struggle for few weeks. I think i can proceed with Xero webhook receiver now.

Thanks @AllenDigital !!!!