Comments (3)
If you have access to a servlet request, you can use: https://github.com/Nexmo/nexmo-java/blob/master/src/main/java/com/nexmo/client/auth/RequestSigning.java#L127
from vonage-java-code-snippets.
@judy2k thanks for answering my concern
I do not have access to a servlet request, however I think I can take the code snippet and give a try
my main concern is that I use the POST-JSON webhook so I do not see how the signature will differ from one request to another (i.e I have no parameters in the URL and the body is not www-form-encoded thus request.getParameterMap() will give nothing)
also, the clean(String str) looks a little strange to me but I'll try some experiments
first, I still need Nexmo to activate the signatures in the webhook since I do not receive the "sig" value... I'll come back to this thread to share results !
from vonage-java-code-snippets.
I manage to get it working without a servlet context, yeah ! :)
I've implemented a NexmoSigner class which takes a secret signature key and then can sign any combination of parameters
here is the code (this is kotlin language)
class NexmoSigner(val secretSigKey: String) {
fun sign(sortedParams: TreeMap<String, String>): String {
//adapted from https://github.com/Nexmo/nexmo-java/blob/master/src/main/java/com/nexmo/client/auth/RequestSigning.java
// walk this sorted list of parameters and construct a string
val sb = StringBuilder()
for ((name, value) in sortedParams) {
if (name == RequestSigning.PARAM_SIGNATURE) continue
sb.append("&").append(clean(name)).append("=").append(clean(value))
}
// append the secret key and calculate an md5 signature of the resultant string
sb.append(secretSigKey)
val md5 = MD5Util.calculateMd5(sb.toString()
return md5
}
private fun clean(str: String?): String? {
return str?.replace("[=&]".toRegex(), "_")
}
}
Then, I can use it to check the signature of my SMS receipt with a simple
protected fun verifyRequestSignature(req: NexmoDeliveryWebhookRequest): Boolean {
val md5 = nexmoSigner.sign(TreeMap<String, String>().apply {
put("status", req.status)
put("messageId", req.messageId)
put("sig", req.sig) //will be excluded automatically
put("timestamp", req.timestamp)
put("err-code", req.errCode)
put("message-timestamp", req.messageTimestamp)
put("msisdn", req.msisdn)
put("network-code", req.networkCode)
put("price", req.price)
put("scts", req.scts)
put("to", req.to)
put("nonce", req.nonce)
})
// verify that the supplied signature matches generated one
return md5 == req.sig
}
Note that NexmoDeliveryWebhookRequest is declared as followed
//see https://developer.nexmo.com/messaging/sms/guides/delivery-receipts and https://developer.nexmo.com/api/sms#delivery-receipt
data class NexmoDeliveryWebhookRequest(
val status: String = "",
val messageId: String = "",
val sig: String = "",
val timestamp: String = "",
@SerializedName("err-code") val errCode: String = "",
@SerializedName("message-timestamp") val messageTimestamp: String = "",
val msisdn: String = "",
@SerializedName("network-code") val networkCode: String = "",
val price: String = "",
val scts: String = "",
val to: String = "",
val nonce: String = "" //!\ undocumented in the Nexmo guide and API doc !!!
)
The "big" trouble to me was to find the 'nonce' parameter
The code could surely be improved (especially if you have the possibility to deal with the raw JSON, you can dynamically "discover" all the properties instead of having to declare a class like I did)
from vonage-java-code-snippets.
Related Issues (20)
- push.yml - Ensure top-level permissions are not set to write-all - autoclosed
- OTP template format
- jwt-1.1.0.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed HOT 1
- jwt-1.1.1.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed HOT 1
- Introduce java-dotenv HOT 1
- Sending sms from one user to multiple user. HOT 4
- SMS service by using angular-5 HOT 1
- Broken links in readme
- Need to fix Gradle URL in readme.md HOT 1
- Get javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake using nexmo-java SDK HOT 1
- Nexmo does not work on Android Studio gradle 4.4 HOT 1
- No workflow for only SMS HOT 1
- Potential security problem(s) HOT 1
- Invoke Dynamic Not Supported HOT 2
- spark-core-2.9.3.jar: 6 vulnerabilities (highest severity is: 7.5) - autoclosed HOT 1
- jwt-1.0.1.jar: 1 vulnerabilities (highest severity is: 5.3) - autoclosed HOT 1
- Compile problem with test code HOT 1
- jackson-databind-2.13.3.jar: 2 vulnerabilities (highest severity is: 7.5) - autoclosed HOT 1
- spark-core-2.9.4.jar: 1 vulnerabilities (highest severity is: 5.3) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vonage-java-code-snippets.