04-05-2016 02:42
04-05-2016 02:42
Hi,
Hope someone can help with this.
I'm trying to verify the X-Fitbit-Signature as described here: https://dev.fitbit.com/docs/subscriptions/#security
$content = @file_get_contents('php://input'); $signature = $_SERVER['HTTP_X_FITBIT_SIGNATURE']; $testVal = hash_hmac("sha1", urlencode(base64_encode($content)), "consumer_secret" . "&"); if ($testVal != $signature) { header("HTTP/1.0 404 Not found"); return; }
This is not working. Any thoughts?
04-08-2016 13:19
04-08-2016 13:19
08-10-2016 03:01 - edited 08-10-2016 03:02
08-10-2016 03:01 - edited 08-10-2016 03:02
The $raw_output parameter in the hash_hmac function must be set to true, e.g.
$updateContent = file_get_contents($request->file("updates")); $expectedSignature = base64_encode(hash_hmac("sha1", $updateContent, env('FITBIT_CLIENT_SECRET') . "&", true)); $signature = $request->header("X-Fitbit-Signature"); if ($signature != $expectedSignature) { return response("", 404); }