I have been working on YouTube Push Notifications Subscription.
I'm able to subscribe for it and did received push notifications from YouTube. I have used HMAC secret for this subscription. I need to confirm that the data I'm receiving is sent from the YouTube server. I can't find any document to get to know about how PubSubHubbub is creating signature.
I have tried the following steps:
did normalized the request body (which is XML content),
did created SHA1 digest in HEX form.
But this signature doesn't match with the one sent from PubSubHubbub.
Could anyone please explain the steps to calculate signature for this purpose?
Thanks in advance.
According to the official docs of PubSubHubbub Core (v0.4, the latest), you have to follow precisely the algorithm described there:
8. Authenticated Content Distribution
If the subscriber supplied a value for hub.secret in their subscription request, the hub MUST generate an HMAC signature of the payload and include that signature in the request headers of the content distribution request. The X-Hub-Signature header's value MUST be in the form sha1=signature where signature is a 40-byte, hexadecimal representation of a SHA1 signature [RFC3174]. The signature MUST be computed using the HMAC algorithm [RFC2104] with the request body as the data and the hub.secret as the key.
When subscribers receive a content distribution request with the X-Hub-Signature header specified, they SHOULD recompute the SHA1 signature with the shared secret using the same method as the hub. If the signature does not match, subscribers MUST still return a 2xx success response to acknowledge receipt, but locally ignore the message as invalid. Using this technique along with HTTPS [RFC2818] for subscription requests enables simple subscribers to receive authenticated notifications from hubs without the need for subscribers to run an HTTPS [RFC2818] server.
Please note however that this signature only ensures that the payload was not forged. Since the notification also includes headers, these should not be considered as safe by the subscriber, unless of course the subscriber uses HTTPS [RFC2818] callbacks.
If you'll mention the programming environment that you use, I may help you further.
Related
We are using twilio to send/receive SMS messages. We have a webhook configured to receive the messages sent by a customer. We want to validate if the request infact originated from twilio. I was going through the documentation and found that there is a method called validated in twilio sdk. For some reason we are not using the sdk. So we want to validate it by ourself. Can anyone please tell me how to validate?
You can do it yourself without the SDK if you wish.
In short, you'll have to use https for your webhooks when configuring at Twilio, and, on your server side, validate a signature which Twilio sends as a header X-Twilio-Signature when making the request.
Computing the signature means to re-assemble the request data and compute a hash using your Twilio account AuthToken.
This is explained in more details on Twilio's docs here:
https://www.twilio.com/docs/usage/security#validating-requests
Task is to receive messages and delete messages. Am modeling this in Postman. I can successfully execute the receive messages action, but not the delete message action.
I have tried copying the receipt handle string from the receive messages response and using it in the delete messages request, and also tried url encoding the string. Both returned errors
In Postman I run the aws sqs ReceiveMessage action and get the ReceiptHandle
<ReceiptHandle>AQEBjiliZegyBS/ZO9wta+a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM+S6MKs/XGyZ206S3NC2V38CUKLO+sPF0mfP47wqu7+nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX+IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4+Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ+mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==</ReceiptHandle>
Then I run the aws sqs DeleteMessage action
Try #1
Pass the ReceiptHandle with exact copy
Action=DeleteMessage&ReceiptHandle=AQEBjiliZegyBS/ZO9wta+a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM+S6MKs/XGyZ206S3NC2V38CUKLO+sPF0mfP47wqu7+nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX+IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4+Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ+mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==&Version=2012-11-05
In the response, Postman shows the ‘+’ being replaced with spaces, so assume this is an encoding problem:
The input receipt handle "AQEBjiliZegyBS/ZO9wta a/heA/tSx/f6tLFqfH38jEZ2r9zguHAljXhG/B8tXaM S6MKs/XGyZ206S3NC2V38CUKLO sPF0mfP47wqu7 nAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs/VPLX IWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg/K5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh/J4 Yd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm/E2bgjpRjVRxZ mrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A==" is not a valid receipt handle.
Try #2
URL Encode the Receipt Handle:
Action=DeleteMessage&ReceiptHandle=AQEBjiliZegyBS%2FZO9wta%2Ba%2FheA%2FtSx%2Ff6tLFqfH38jEZ2r9zguHAljXhG%2FB8tXaM%2BS6MKs%2FXGyZ206S3NC2V38CUKLO%2BsPF0mfP47wqu7%2BnAIwettlxTGQAYuCFqI1CYBYHXxgajB1UEiFz8Kc6v8SlWs%2FVPLX%2BIWjckoQOtMRl977sxM5pCLhMNvIwh1RYFvybM0D0WEbJEuYb9JU3DZuRZg%2FK5rjvNooPqER4FR1JJxpZiJ0tu6481CyePLtEh%2FJ4%2BYd2kYRyuqN788oEdSTZIKprA6lHUCiCmeuqCb0yEDsxJcCVX4GmDok5KMHm%2FE2bgjpRjVRxZ%2BmrnLqTSwojt0LXg61vv8dNF8QD4sngPXqhmKQ7yp5O6S8ygn4lIPaUGOl5cgX1HsB3Q9Pfv3sg4A%3D%3D&Version=2012-11-05
Error response is:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
Does the receipt handle need to be encoded?
Based on SQS DeleteMessage docs, your second attempt with URL encoding the receipt handle is correct.
It looks like you're having a problem with authentication & authorization - you need to sign your requests with auth params - this is what prevents (a) others from making unauthorized requests to your account's resources, and (b) others from intercepting and modifying (or replaying) your requests to your account's resources.
This tutorial provides great details on this how to do this auth via postman:
Postman makes it easy to setup all the necessary authorization using Collections. Configure the AWS authorization in the parent collection with the Access Key and Secret Access Key found in the AWS Console:
Then reference that authorization in each request:
For full information on how to construct the auth params more manually (which AWS API will do for you by the way), see http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
I'm working with the Snapchat API to try and log into an app using their OAuth flow. Once the user is logged in via Snapchat, I'm trying to reverse engineer (since they have no documentation on this) how to obtain some sort of unique ID for the user so I can associate them with a local user in my database. This is how I have previously done this with things like Facebook. The user logs in and gets an access token via the Facebook Api, and I can extract some kind of unique ID for the user via the Facebook API.
The Snapchat API only allows you to access the user's display name and some "externalId", which I cannot guarantee won't change. So I decoded the JWT token that Snapchat issued to me and it challenged my understanding of how JWT tokens work. When I decoded the token at http://jwt.io, I saw that the payload was empty, yet the token works when calling the https://kit.snapchat.com/v1/me endpoint. How is the snapchat server able to identify who I am? I've always had the understanding that the JWT must include a claim such as sub which identifies the user. The server can then use that information to know who I am.
In this case, my JWT payload is empty, but the aforementioned endpoint still returns my user data. What is happening here? How does the server know who I am when my JWT token has an empty payload? To me they must be storing a copy of my JWT token on the server, which seems like the incorrect way to use JWT tokens. Perhaps my understanding is terribly wrong. Any thoughts?
The payload of a JWS (signed token) can be detached and transmited to the audience by other means.
This feature is described in the Appendix F of the specification.
With the JWS compact serialization mode (the most common format), a token looks like THE_HEADER.THE_PAYLOAD.THE_SIGNATURE. With a detached payload it is identical except that THE_PAYLOAD is an empty string: THE_HEADER..THE_SIGNATURE.
The verification of the signature is the same as with an attached payload. The receiver should have received the payload and must recreate the full input i.e. THE_HEADER.THE_PAYLOAD.
Regarding the identification performed by snapshat, a reference to the detached payload may be set in a header parameter of the token (first part of the token) allowing Snapchat to fully verify the token.
For iOS applications that require push notifications, it must first request the user for permission to do so. After that, a device token is generated and with this, the remote server may communicate to the user through this token.
I have read a similar question here and I do not feel it is enough. The picture below is a trusted certificate, it allows me to view all traffic that happens on this device.
With Fiddler2 as well as CertMaker, I can sniff HTTPS traffic, which means the client can probably know what data they are sending, and to where.
My question is, knowing that SSL is not secure from protecting my clients from seeing what I send to the remote server, should I simply encypt with a secret key found within my application?
Such as encrypt("device_token","secretkey_a0a0a0a") (pretend this is Objective-C)?
Couldn't someone just find that key within my application? I also read this question, and it seems that it would be possible to get back the secret key.
My plan for this goes like this:
Within the iOS application, Generate a random string named activate.
Encrypt (not hash), the token by the random string and a secret key that I only know. (secretkey_a0a0a0)
Send the encrypted string along with the generated randomly generated string (active).
Within serverside, I check if I can decrypt a valid token from using the active and my secret key.
I save the token in my database if it is valid.
This prevents people from random entering tokens yes, however, secretkey_a0a0a0 is a string literal. It's very possible to get this within the application binary itself.
My question is, how do I protect this secret key? The answer can also be, how can I prevent people from sending invalid tokens to my server as well.
I have heard of encryption, but doesn't that only apply to resource files?
How should I approach this?
If you do SSL-Pinning ( AFNetworking has this implemented ) you won't be able to (in a reasonable timeframe) sniff the https traffic between the client and server if you don't have the servers private key.
If your fear is that man in the middle can steal your token and send fake push notifications to users of your application, be sure that this cant happend. Since requests to apple apn servers must be signed with pem file, the main concern should be how to keep certificate file secured, and not apn token. If you want to prevent writing invalid tokens in your database then you should implement some CRC or odd/even bit mechanism.
You might want to check the security section in the Push Notifications Guide, in particular the section titled "Token Generation and Dispersal".
The device token is generated by the device connecting through the Apple's APNS. My guess (they don't say in the docs) is that it's unique for a given app identifier.
The APNS then will probably match those identifiers with the pem certificate you use to communicate with it thus validating that the push notifications are actually originating from your app.
Encrypting the device token seems overkill in this scenario.
To prevent someone maliciously spamming your server with tokens, I would hash the token when a secret key and send both the token and the hash to the server. You can then hash the token again on the server, with your secret key, and check that the request is valid.
I have a server side java application which send bulk push messages to apple server. Recently i'm getting multiple SSLSocketException: Connection closed by remote host OR SSLSocketException: Broken pipe expcetions.
I understand that in case i'm sending invalid tokens, apple forcefully closes the connection. I also have a feedback loop, but the failing tokens never appear on feedback loop since they are not even accepted by apple.
Is there any algorithm or method to know, why the device token is "invalid" ?
Why the device token is invalid?
Assuming you got all your device tokens from Apple and didn't create dummy tokens, the most likely cause for invalid tokens is a DB that has both production tokens and sandbox tokens.
How to find which tokens are invalid :
You should use the enhanced APN format, in which you specify the message ID. After each message you send to Apple, you should try reading from the socket after setting the timeout to a large enough value. Apple will send you error responses for the invalid tokens, which specify the message ID. This will let you find the invalid tokens and remove them from your DB.
Note that you should only use this method (reading responses after each message with a long timeout) in order to clean your DB. After your DB is clean from invalid tokens you don't want to use it, since it will make the notifications delivery very slow.