help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

[PHP] X-Fitbit-Signature not matching when testing against example in documentation

ANSWERED

‎08-11-2023 11:42

‎08-11-2023 11:42

I'm looking to add a validation check for X-Fitbit-Signature and I'm following along the example given here but when I made a test script to see if it works, it does not and I'm not sure why that is.

I'm fairly certain I'm doing it right, and I've played around with the example payload a few times but nothing I do will make the example given match for me.

Is the example wrong or does the json has to bwe a certain format that I haven't tried? (I've made it all one line and that didn't work either).

I don't feel comfortable adding the header check until I can verify myself that it'll work, so hoping someone can point me to where I may be going wrong or if the documentation is missing an important step.

Thanks.

Best Answer
Labels:
0 Votes
1 BEST ANSWER

Accepted Solutions

‎08-16-2023 08:25

In response to sparkwatson

‎08-16-2023 08:25

I decided to just roll the dice and test it on our staging environment and it appears to be working correctly, Fitbit was able to hit the endpoint and the validation passed so while I couldn't make a reproducible example for myself, I was able to confirm it's working and that's good enough for me. 😀

View best answer in original post

Best Answer
0 Votes
9 REPLIES 9

‎08-11-2023 11:47

‎08-11-2023 11:47

This is my PHP script:

<?php
$payload = '[omitted due to forum validation]';

$clientSecret = '123ab4567c890d123e4567f8abcdef9a&';
$checksum = base64_encode(hash_hmac('sha1', $payload, $clientSecret, true));
$expectedValue = 'Oyv+HBziS4dH/fHJ735cToXX6vs=';

if ($checksum === $expectedValue) {
    echo "Checksum Verified.\n";
} else {
    echo "Checksum Failed.\n\n";
    echo "DEBUGGING:\n";
    echo "VALUE:\t\t".$checksum."\n";
    echo "EXPECTED VALUE:\t".$expectedValue."\n";
}

This is what I get back:

Checksum Failed.

DEBUGGING:
VALUE: DWL9bvdGZ4rQwePgCYEgI3xEFoo=
EXPECTED VALUE: Oyv+HBziS4dH/fHJ735cToXX6vs=
Best Answer
0 Votes

‎08-14-2023 06:58

In response to sparkwatson

‎08-14-2023 06:58

Hi @sparkwatson 

I'm not familiar with PHP however, the samples I found online seems to mimic what you are doing.   For $payload, are you specifying the entire notification including the array?

[
  {
    "collectionType": "foods",
    "date": "2020-06-01",
    "ownerId": "228S74",
    "ownerType": "user",
    "subscriptionId": "1234"
  }
]

 

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎08-14-2023 07:50

In response to Gordon-C

‎08-14-2023 07:50

Am I not supposed to? I assumed the signature is the  body plus the secret.

Best Answer
0 Votes

‎08-14-2023 10:58

In response to sparkwatson

‎08-14-2023 10:58

You are.  The signature includes the body and secret.   Let me see if I can put together a PHP example for you.   

Gordon

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎08-14-2023 11:24

In response to Gordon-C

‎08-14-2023 11:24

That'd be great, I feel like I have the code portion right, I may just be assuming the payload portion incorrectly.

Best Answer
0 Votes

‎08-16-2023 08:25

In response to sparkwatson

‎08-16-2023 08:25

I decided to just roll the dice and test it on our staging environment and it appears to be working correctly, Fitbit was able to hit the endpoint and the validation passed so while I couldn't make a reproducible example for myself, I was able to confirm it's working and that's good enough for me. 😀

Best Answer
0 Votes

‎08-22-2023 12:05

In response to sparkwatson

‎08-22-2023 12:05

Hi @sparkwatson,

Thank you for the update.   Out of curiosity, did you use the same code as above which the value generated and the expected value do not match?

 

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes

‎08-22-2023 14:14

In response to Gordon-C

‎08-22-2023 14:14

basically, yes, I used the same code as provided here. I'm guessing the disconnect is just how the example request body is parsed. While I'd like to have a reproducible test, it's not the end of the world if it seems to work when used in the wild, the important part is it works when Fitbit send my API data and it does so I'll take that as a win and settle for it.

Best Answer
0 Votes

‎08-23-2023 07:39

In response to sparkwatson

‎08-23-2023 07:39

Great!!   Glad to hear.

Gordon Crenshaw
Senior Technical Solutions Consultant
Fitbit Partner Engineering & Web API Support | Google
Best Answer
0 Votes