Skip to main content
Answered

Intercom App Signed Request verification failing

  • November 25, 2021
  • 6 replies
  • 65 views

Hi Guys,

 

We've built a third party App for Intercom Inbox. So, according to the documentation - https://developers.intercom.com/building-apps/docs/canvas-kit#section-signing-notifications , we verify the requests by generating the signature from the request body and comparing with the one Intercom sends us in the request headers. But, for some % of the requests, the signature doesn't match & it's creating a problem for the users of app.

 

Details:

Backend: NodeJS

const crypto = require("crypto");
 
const INTERCOM_APP_SECRET = "OUR_SECRET";
 
function verifyIntercomRequest(requestBodyRaw, signatureFromHeaders) {
const generatedSignature = crypto
.createHmac("sha256", INTERCOM_APP_SECRET)
.update(requestBodyRaw)
.digest("hex");
return signatureFromHeaders === generatedSignature;
}

We also checked the source IPs of the request & it falls into one of the following - https://developers.intercom.com/building-apps/docs/canvas-kit#section-whitelisting-i-ps

Although they are correct IPs, can't completely trust them as IPs can be spoofed

 

How do we debug this & move forward ?

 

Regards

Best answer by Aparna

Hey @user164​ ! Not sure exactly what's happening here. This need to be investigated in detail. Can you please start a conversation from the Messenger in your workspace with all the details, so our support team can thoroughly look into the issue?

View original
Did this topic help you find an answer to your question?

6 replies

  • Employee
  • 328 replies
  • Answer
  • December 2, 2021

Hey @user164​ ! Not sure exactly what's happening here. This need to be investigated in detail. Can you please start a conversation from the Messenger in your workspace with all the details, so our support team can thoroughly look into the issue?


  • Author
  • New Participant
  • 3 replies
  • December 6, 2021

Ok. Thanks Aparna


  • Connector
  • 6 replies
  • May 13, 2022

Hello @user164​ @aparna​ 

 

Would it be possible to share the outcome of this issue here, as we appear to encounter the same (random-ish) issue with quite the same signature check implementation ?

 

Thanks !


  • Author
  • New Participant
  • 3 replies
  • May 13, 2022

I didn't get any satisfactory resolution from Intercom then. We had put it on hold as the number of such issues came down to a less significant percentage


  • Connector
  • 6 replies
  • May 13, 2022

Ah, too bad, nevertheless: thank you for your time ! :)


  • Connector
  • 6 replies
  • May 16, 2022

Hello @user164​ we eventually found the issue on our part : actually we were using a body parser that interpreted the payload, which led to some confusion because JavaScript transforms non-significant floating parts of numbers (e.g. 0.0, which may be passed in the payload from Intercom) into simple "integers" (e.g. 0). Which, when retransformed into JSON, makes the hash difference.

Here you will find Express and Nest -compatible examples of solutions, assuming your issue has the same root: https://stackoverflow.com/questions/54346465/access-raw-body-of-stripe-webhook-in-nest-js/p>


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings