Verifying X-Fitbit-Signature Header in php

SteffenThomsen · ‎04-05-2016

Hi,

Hope someone can help with this.
I'm trying to verify the X-Fitbit-Signature as described here: https://dev.fitbit.com/docs/subscriptions/#security

$content = @file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_FITBIT_SIGNATURE'];
$testVal = hash_hmac("sha1", urlencode(base64_encode($content)), "consumer_secret" . "&");

if ($testVal != $signature) {
    header("HTTP/1.0 404 Not found");
    return;
}

This is not working. Any thoughts?

GaryBrittain · ‎04-08-2016

Hi,

From your code, if you remove urlencode completely and move base 64 encode to the left of hash_hmac, then just make sure the brackets are all in the right places it should work, that's roughly the code I'm using.

WarrickZedi · ‎08-10-2016

The $raw_output parameter in the hash_hmac function must be set to true, e.g.

        $updateContent = file_get_contents($request->file("updates"));
        $expectedSignature = base64_encode(hash_hmac("sha1", $updateContent, env('FITBIT_CLIENT_SECRET') . "&", true));
        $signature = $request->header("X-Fitbit-Signature");
        if ($signature != $expectedSignature) {
            return response("", 404);
        }

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

Verifying X-Fitbit-Signature Header in php

SteffenThomsen

GaryBrittain

WarrickZedi