Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Wrong postback examples on docs

See original GitHub issue

At https://docs.pagar.me/reference#validando-um-postback, we found that the JS sample lacks a basic detail for the operation.

const pagarme = require('pagarme')

// Calculate signature:
pagarme.postback.calculateSignature('X-Hub-Signature', 'postbackBody')
// returns a hash

// Verify signature:
pagarme.postback.verifySignature('X-Hub-Signature', 'postbackBody', 'expectedHash')
// returns true or false

This example is kinda wrong, due to the fact that it leads the developer to believe that he doesn’t need Pagar.me’s API Key. The right approach would be to make explicit and clear that the developer need the client to perform such actions, which contains the API Key.

Issue Analytics

State:
Created 6 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

3reactions

evaporeicommented, Mar 25, 2021

@bmamone thanks for the detailed explanation 👏 ❤️ I’ve edited my comment so that it does not mislead any more developers into doing this wrong.

Unfortunately I can’t help you more since I don’t work for @pagarme anymore 😕

3reactions

bmamonecommented, Mar 25, 2021

Just lost some time trying to get this right… not only docs are completely wrong, leading to possible security breaches, but also the function does not work at all.

First, the docs part:

For this to work, you of course need your API KEY to have something to compare the signature to. Also, you should NOT use the string 'X-Hub-Signature', its actually a reference to the header you need to compare to:

pagarme.postback.calculateSignature(process.env.PAGARME_API_KEY, rawBody)

pagarme.postback.verifySignature(process.env.PAGARME_API_KEY, rawBody, req.headers['x-hub-signature'])

So I did that and after trying a lot, it still would not say a valid signature was valid.

If you log both X-Hub-Signature header and the calculateSignature result, you will see that verifySignature will NEVER return true, as X-Hub-Signature header is prefixed with sha1=.

So this function does not work AT ALL. To make it worse, the docs are misleading unaware devs:

@otaviopace solution in this issue is basically generating a signature using a constant string X-Hub-Signature and whatever payload, then verifying it against the very same signature, by signing it again with X-Hub-Signature string, and not the actual header sent from Pagarme. So its not validating anything and creates a security breach

I did EXACTLY that, prior to finding this issue, but luckily realized that it wasn’t validating it against any useful information.

Then I find this issue, which was reported in 2017, and it’s clearly misleading devs into security breaches.

Docs and code needs fixing !!

For those who want to use this function, just use calculateSignature, prefix it with sha1= and compare it to X-Hub-Signature. Or you can use Node.js crypto lib:

      
const signature = createHmac('sha1', process.env.PAGARME_API_KEY).update(rawBody, 'utf-8').digest('hex')

       
if (req.headers['x-hub-signature'] !== `sha1=${signature}`) {
     // INVALID SIGNATURE
}