{"_id":"59f79e3c584eb200345ceccc","__v":0,"user":{"_id":"54e4044e8ef7552300409dcb","username":"","name":"Sankaet Pathak"},"initVersion":{"_id":"59f79e3c584eb200345ceafe","version":"3.0"},"project":"59f79e3c584eb200345ceafc","createdAt":"2015-08-04T01:30:23.328Z","changelog":[{"_id":"55cd78a3950b8e0d00f11ce9","update":"Using hex digest for HMAC","type":"improved"},{"_id":"55cd78a3950b8e0d00f11ce8","update":"Using  [trans_$oid '+' recent_status.date] as raw","type":"improved"},{"_id":"55cd7966ae0e251700f04175","update":"","type":"added"}],"body":"We are glad to announce that SynapsePay now supports HMACs on web hooks.\n\nIf you do not know what HMACs is --- it is a protocol that helps you judge the authenticity of the received message. This comes in handy when you want to quickly find out whether the web hook was sent by SynapsePay or a malicious/notorious party.\n\nOur implementation is pretty straightforward. \n\nThe signature is a SHA-1 HMAC hash of the posted payload, with the secret key as client_secret.\n\nLook at the following payload for an example:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"{\\n  \\\"from\\\": {\\n    \\\"type\\\": \\\"SYNAPSE-US\\\",\\n    \\\"id\\\": {\\n      \\\"$oid\\\": \\\"55bc003586c2734097136553\\\"\\n    }\\n  },\\n  \\\"extra\\\": {\\n    \\\"ip\\\": \\\"192.168.0.1\\\",\\n    \\\"supp_id\\\": \\\"1283764wqwsdd34wd13212\\\",\\n    \\\"webhook\\\": \\\"http://requestb.in/q94kxtq9\\\",\\n    \\\"process_on\\\": {\\n      \\\"$date\\\": 1439614732220\\n    },\\n    \\\"note\\\": \\\"Deposit to bank account\\\",\\n    \\\"created_on\\\": {\\n      \\\"$date\\\": 1439528332220\\n    },\\n    \\\"other\\\": {\\n      \\\"attachments\\\": [\\n        \\\"https://synapse_django.s3.amazonaws.com/sandbox_attachments/2015/08/14/531fe246-f3e8-4557-ab9d-bc9f1e903272.csv\\\",\\n        \\\"https://synapse_django.s3.amazonaws.com/sandbox_attachments/2015/08/14/c238e0f2-922b-4624-af00-d03044a64dbf.csv\\\"\\n      ]\\n    }\\n  },\\n  \\\"timeline\\\": [\\n    {\\n      \\\"date\\\": {\\n        \\\"$date\\\": 1439528332218\\n      },\\n      \\\"status\\\": \\\"CREATED\\\",\\n      \\\"note\\\": \\\"Transaction created\\\",\\n      \\\"status_id\\\": \\\"1\\\"\\n    }\\n  ],\\n  \\\"to\\\": {\\n    \\\"type\\\": \\\"SYNAPSE-US\\\",\\n    \\\"id\\\": {\\n      \\\"$oid\\\": \\\"5574ecd386c27322e9e26d28\\\"\\n    }\\n  },\\n  \\\"amount\\\": {\\n    \\\"currency\\\": \\\"USD\\\",\\n    \\\"amount\\\": 1.1\\n  },\\n  \\\"client\\\": {\\n    \\\"id\\\": 844,\\n    \\\"name\\\": \\\"SynapsePay*Sandbox\\\"\\n  },\\n  \\\"fees\\\": [\\n    {\\n      \\\"note\\\": \\\"Synapse Facilitator Fee\\\",\\n      \\\"to\\\": {\\n        \\\"id\\\": {\\n          \\\"$oid\\\": \\\"559339aa86c273605ccd35df\\\"\\n        }\\n      },\\n      \\\"fee\\\": 0.1\\n    },\\n    {\\n      \\\"note\\\": \\\"Facilitator Fee\\\",\\n      \\\"to\\\": {\\n        \\\"id\\\": {\\n          \\\"$oid\\\": \\\"5574ecd386c27322e9e26d28\\\"\\n        }\\n      },\\n      \\\"fee\\\": 1.0\\n    }\\n  ],\\n  \\\"_id\\\": {\\n    \\\"$oid\\\": \\\"55cd758c86c2735f0b1a06b4\\\"\\n  },\\n  \\\"recent_status\\\": {\\n    \\\"date\\\": {\\n      \\\"$date\\\": 1439528332218\\n    },\\n    \\\"status\\\": \\\"CREATED\\\",\\n    \\\"note\\\": \\\"Transaction created\\\",\\n    \\\"status_id\\\": \\\"1\\\"\\n  }\\n}\",\n      \"language\": \"json\"\n    }\n  ]\n}\n[/block]\nIf this is what we are going to post on **http://requestb.in/q94kxtq9** , we will do the following:\n\nUse your client secret as the key and Using  [trans_$oid '+' recent_status.date] as raw.\n\nThe following snippet should make the process more clear:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"key = 'your_client_secret'\\nraw = '{0}+{1}'.format(payload['_id']['$oid'],payload['recent_status']['date']['$date'])\\n\\nhashed = hmac.new(key, raw, sha1)\\n\\n# The signature\\nreturn hashed.hexdigest().encode(\\\"base64\\\").rstrip('\\\\n')\",\n      \"language\": \"python\"\n    },\n    {\n      \"code\": \"var crypto = require('crypto');\\n\\nvar raw = payload._id.$oid+'+'+payload.recent_status.date.$date;\\n\\nvar client_secret = 'your_client_secret';\\n\\nvar hmac = new Buffer(crypto.createHmac('sha1', client_secret).update(raw).digest('hex'));\\n\\nvar hash = hmac.toString('base64').replace('\\\\n','');\\n\\nconsole.log(hash);\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]\nSo if our client_secret for this request was **11c94ba6bad74d24a0158bc707f0fc19a86dc08f**\n\nThe signature will be **ZDg2ODQxNjUzNWJlMzQ5YzhhZDI0MjRhZWY3NzUyY2YxOTc5Nzk1MQ==** \n\nWe then take this signature and add it into the header of the request with name **X-Synapse-Signature**\n\n\nThat's all. Please let us know if you have any questions.","slug":"hmac-for-web-hooks","title":"HMAC For Web hooks"}

HMAC For Web hooks


We are glad to announce that SynapsePay now supports HMACs on web hooks. If you do not know what HMACs is --- it is a protocol that helps you judge the authenticity of the received message. This comes in handy when you want to quickly find out whether the web hook was sent by SynapsePay or a malicious/notorious party. Our implementation is pretty straightforward. The signature is a SHA-1 HMAC hash of the posted payload, with the secret key as client_secret. Look at the following payload for an example: [block:code] { "codes": [ { "code": "{\n \"from\": {\n \"type\": \"SYNAPSE-US\",\n \"id\": {\n \"$oid\": \"55bc003586c2734097136553\"\n }\n },\n \"extra\": {\n \"ip\": \"192.168.0.1\",\n \"supp_id\": \"1283764wqwsdd34wd13212\",\n \"webhook\": \"http://requestb.in/q94kxtq9\",\n \"process_on\": {\n \"$date\": 1439614732220\n },\n \"note\": \"Deposit to bank account\",\n \"created_on\": {\n \"$date\": 1439528332220\n },\n \"other\": {\n \"attachments\": [\n \"https://synapse_django.s3.amazonaws.com/sandbox_attachments/2015/08/14/531fe246-f3e8-4557-ab9d-bc9f1e903272.csv\",\n \"https://synapse_django.s3.amazonaws.com/sandbox_attachments/2015/08/14/c238e0f2-922b-4624-af00-d03044a64dbf.csv\"\n ]\n }\n },\n \"timeline\": [\n {\n \"date\": {\n \"$date\": 1439528332218\n },\n \"status\": \"CREATED\",\n \"note\": \"Transaction created\",\n \"status_id\": \"1\"\n }\n ],\n \"to\": {\n \"type\": \"SYNAPSE-US\",\n \"id\": {\n \"$oid\": \"5574ecd386c27322e9e26d28\"\n }\n },\n \"amount\": {\n \"currency\": \"USD\",\n \"amount\": 1.1\n },\n \"client\": {\n \"id\": 844,\n \"name\": \"SynapsePay*Sandbox\"\n },\n \"fees\": [\n {\n \"note\": \"Synapse Facilitator Fee\",\n \"to\": {\n \"id\": {\n \"$oid\": \"559339aa86c273605ccd35df\"\n }\n },\n \"fee\": 0.1\n },\n {\n \"note\": \"Facilitator Fee\",\n \"to\": {\n \"id\": {\n \"$oid\": \"5574ecd386c27322e9e26d28\"\n }\n },\n \"fee\": 1.0\n }\n ],\n \"_id\": {\n \"$oid\": \"55cd758c86c2735f0b1a06b4\"\n },\n \"recent_status\": {\n \"date\": {\n \"$date\": 1439528332218\n },\n \"status\": \"CREATED\",\n \"note\": \"Transaction created\",\n \"status_id\": \"1\"\n }\n}", "language": "json" } ] } [/block] If this is what we are going to post on **http://requestb.in/q94kxtq9** , we will do the following: Use your client secret as the key and Using [trans_$oid '+' recent_status.date] as raw. The following snippet should make the process more clear: [block:code] { "codes": [ { "code": "key = 'your_client_secret'\nraw = '{0}+{1}'.format(payload['_id']['$oid'],payload['recent_status']['date']['$date'])\n\nhashed = hmac.new(key, raw, sha1)\n\n# The signature\nreturn hashed.hexdigest().encode(\"base64\").rstrip('\\n')", "language": "python" }, { "code": "var crypto = require('crypto');\n\nvar raw = payload._id.$oid+'+'+payload.recent_status.date.$date;\n\nvar client_secret = 'your_client_secret';\n\nvar hmac = new Buffer(crypto.createHmac('sha1', client_secret).update(raw).digest('hex'));\n\nvar hash = hmac.toString('base64').replace('\\n','');\n\nconsole.log(hash);", "language": "javascript" } ] } [/block] So if our client_secret for this request was **11c94ba6bad74d24a0158bc707f0fc19a86dc08f** The signature will be **ZDg2ODQxNjUzNWJlMzQ5YzhhZDI0MjRhZWY3NzUyY2YxOTc5Nzk1MQ==** We then take this signature and add it into the header of the request with name **X-Synapse-Signature** That's all. Please let us know if you have any questions.
improved
Using hex digest for HMAC
improved
Using [trans_$oid '+' recent_status.date] as raw