Help with verify EventSub signature

Azazael13 · November 24, 2020, 2:09pm

I am working on getting the new eventsub stuff fully integrated with my node bot, and the last part I am having an issue with is verifying the signature. I understand most of what is needed, but I am coming up short on the part about the raw bytes of the request body. I am using nodejs and express and have seen some of the examples @BarryCarlyon has shown for the x-signature, but am not quite sure I follow that for eventsub.

Also shout out to the twitch devs for adding an error message to the event sub after my last problem about using an a non standard port. I forgot to change my callback URL after I setup my new server and was greeted with a nice message that I was using a non standard port and I needed to fix it.

BarryCarlyon · November 24, 2020, 2:10pm

NodeJS example of EventSub Sig verficiation

Speifically line 38

github.com

BarryCarlyon/twitch_misc/blob/main/eventsub/handlers/nodejs/receive.js#L38

    
      
          http.listen(config.port, function() {
              console.log('Server raised on', config.port);
          });
          
          
// Middleware!
          // Express allows whats called middle ware
          // it runs before (or after) other parts of the route runs
          app.use(express.json({
              verify: function(req, res, buf, encoding) {
                  // is there a hub to verify against
                  req.twitch_eventsub = false;
                  if (req.headers && req.headers.hasOwnProperty('twitch-eventsub-message-signature')) {
                      req.twitch_eventsub = true;
          
          
            // id for dedupe
                      let id = req.headers['twitch-eventsub-message-id'];
                      // check age
                      let timestamp = req.headers['twitch-eventsub-message-timestamp'];
                      // extract algo and signature for comparison
                      let [ algo, signature ] = req.headers['twitch-eventsub-message-signature'].split('=');

I have it setup the same way for EventSub as Webhooks

Azazael13 · November 24, 2020, 2:18pm

Thanks I will take a look at the git work through the code. Thankfully you use meaningful comments so I should be able to figure it out I am still somewhat new to using middleware in express and that was tripping me up.

BarryCarlyon · November 24, 2020, 2:20pm

haha

I’m actually bad at commenting my code for other people

So my github for examples was a conscious effort to add them in.

Middleware saves time for running the same code against multiple routes. So it is handy.

Azazael13 · November 24, 2020, 5:16pm

Got it all working, your code was a help, though I still don’t fully understand the buf part of the body parser middleware. That is on me though, thanks for the assist.

BarryCarlyon · November 24, 2020, 5:19pm

TLDR: buf will contain the raw message.

If you were not using buf (short for buffer), a korean/french/german streamer with a localized display name or title written in French/German etc using u with umlauts, for example ä, ö, ü

Then the content would be encoded different and you would get a different verification result and your generated verficiation won’t match the one Twitch sent

system · December 24, 2020, 5:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.