Answered

Intercom App Signed Request verification failing

  • 25 November 2021
  • 6 replies
  • 33 views
U

Hi Guys,

 

We've built a third party App for Intercom Inbox. So, according to the documentation - https://developers.intercom.com/building-apps/docs/canvas-kit#section-signing-notifications , we verify the requests by generating the signature from the request body and comparing with the one Intercom sends us in the request headers. But, for some % of the requests, the signature doesn't match & it's creating a problem for the users of app.

 

Details:

Backend: NodeJS

const crypto = require("crypto");
 
const INTERCOM_APP_SECRET = "OUR_SECRET";
 
function verifyIntercomRequest(requestBodyRaw, signatureFromHeaders) {
const generatedSignature = crypto
.createHmac("sha256", INTERCOM_APP_SECRET)
.update(requestBodyRaw)
.digest("hex");
return signatureFromHeaders === generatedSignature;
}

We also checked the source IPs of the request & it falls into one of the following - https://developers.intercom.com/building-apps/docs/canvas-kit#section-whitelisting-i-ps

Although they are correct IPs, can't completely trust them as IPs can be spoofed

 

How do we debug this & move forward ?

 

Regards

icon

Best answer by Aparna 2 December 2021, 16:38

View original

6 replies

A

Hey @user164​ ! Not sure exactly what's happening here. This need to be investigated in detail. Can you please start a conversation from the Messenger in your workspace with all the details, so our support team can thoroughly look into the issue?

U

Ok. Thanks Aparna

A

Hello @user164​ @aparna​ 

 

Would it be possible to share the outcome of this issue here, as we appear to encounter the same (random-ish) issue with quite the same signature check implementation ?

 

Thanks !

U

I didn't get any satisfactory resolution from Intercom then. We had put it on hold as the number of such issues came down to a less significant percentage

A

Ah, too bad, nevertheless: thank you for your time ! :)

A

Hello @user164​ we eventually found the issue on our part : actually we were using a body parser that interpreted the payload, which led to some confusion because JavaScript transforms non-significant floating parts of numbers (e.g. 0.0, which may be passed in the payload from Intercom) into simple "integers" (e.g. 0). Which, when retransformed into JSON, makes the hash difference.

Here you will find Express and Nest -compatible examples of solutions, assuming your issue has the same root: https://stackoverflow.com/questions/54346465/access-raw-body-of-stripe-webhook-in-nest-js/p>

Reply


Terms & ConditionsCookie settings