Wrong postback examples on docs
See original GitHub issueAt https://docs.pagar.me/reference#validando-um-postback, we found that the JS sample lacks a basic detail for the operation.
const pagarme = require('pagarme')
// Calculate signature:
pagarme.postback.calculateSignature('X-Hub-Signature', 'postbackBody')
// returns a hash
// Verify signature:
pagarme.postback.verifySignature('X-Hub-Signature', 'postbackBody', 'expectedHash')
// returns true or false
This example is kinda wrong, due to the fact that it leads the developer to believe that he doesn’t need Pagar.me’s API Key. The right approach would be to make explicit and clear that the developer need the client
to perform such actions, which contains the API Key.
Issue Analytics
- State:
- Created 6 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Page.IsPostBack Property (System.Web.UI) | Microsoft Learn
Gets a value that indicates whether the page is being rendered for the first time or is being loaded in response to a...
Read more >Query expiration date using today() displays wrong dates - Google ...
Query expiration date using today() displays wrong dates. Hi,. I am trying to pull up from a sheet all the expiration dates from...
Read more >Postback Macros & Functions - Branch Help
Whether or not the event is attributed; 1 (true/yes) OR 0 (false/no) ... For example, if an email link click leads to a...
Read more >Disable Webform button after validation and before postback
Note, for both of these examples I added a return false to stop the form submission so you can see the button actually...
Read more >Auto Fill a Google Doc Template from Google Sheet Data
I tend to use template literals when I want a string with whitespace, as you can see doing that in the second example...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@bmamone thanks for the detailed explanation 👏 ❤️ I’ve edited my comment so that it does not mislead any more developers into doing this wrong.
Unfortunately I can’t help you more since I don’t work for @pagarme anymore 😕
Just lost some time trying to get this right… not only docs are completely wrong, leading to possible security breaches, but also the function does not work at all.
First, the docs part:
For this to work, you of course need your API KEY to have something to compare the signature to. Also, you should NOT use the string
'X-Hub-Signature'
, its actually a reference to the header you need to compare to:So I did that and after trying a lot, it still would not say a valid signature was valid.
If you log both
X-Hub-Signature
header and thecalculateSignature
result, you will see thatverifySignature
will NEVER return true, asX-Hub-Signature
header is prefixed withsha1=
.So this function does not work AT ALL. To make it worse, the docs are misleading unaware devs:
@otaviopace solution in this issue is basically generating a signature using a constant string
X-Hub-Signature
and whatever payload, then verifying it against the very same signature, by signing it again withX-Hub-Signature
string, and not the actual header sent from Pagarme. So its not validating anything and creates a security breachI did EXACTLY that, prior to finding this issue, but luckily realized that it wasn’t validating it against any useful information.
Then I find this issue, which was reported in 2017, and it’s clearly misleading devs into security breaches.
Docs and code needs fixing !!
For those who want to use this function, just use
calculateSignature
, prefix it withsha1=
and compare it toX-Hub-Signature
. Or you can use Node.js crypto lib: