Intercom App Signed Request verification failing

Hi Guys,

We've built a third party App for Intercom Inbox. So, according to the documentation - https://developers.intercom.com/building-apps/docs/canvas-kit#section-signing-notifications , we verify the requests by generating the signature from the request body and comparing with the one Intercom sends us in the request headers. But, for some % of the requests, the signature doesn't match & it's creating a problem for the users of app.

Details:

Backend: NodeJS

const crypto = require("crypto");


 


const INTERCOM_APP_SECRET = "OUR_SECRET";


 


function verifyIntercomRequest(requestBodyRaw, signatureFromHeaders) {


  const generatedSignature = crypto


      .createHmac("sha256", INTERCOM_APP_SECRET)


      .update(requestBodyRaw)


      .digest("hex");


  return signatureFromHeaders === generatedSignature;


}

We also checked the source IPs of the request & it falls into one of the following - https://developers.intercom.com/building-apps/docs/canvas-kit#section-whitelisting-i-ps

Although they are correct IPs, can't completely trust them as IPs can be spoofed

How do we debug this & move forward ?

Regards

Page 1 / 1

Hey @user164 ! Not sure exactly what's happening here. This need to be investigated in detail. Can you please start a conversation from the Messenger in your workspace with all the details, so our support team can thoroughly look into the issue?

Ok. Thanks Aparna

Hello @user164 @aparna

Would it be possible to share the outcome of this issue here, as we appear to encounter the same (random-ish) issue with quite the same signature check implementation ?

Thanks !

I didn't get any satisfactory resolution from Intercom then. We had put it on hold as the number of such issues came down to a less significant percentage

Ah, too bad, nevertheless: thank you for your time ! :)

Hello @user164 we eventually found the issue on our part : actually we were using a body parser that interpreted the payload, which led to some confusion because JavaScript transforms non-significant floating parts of numbers (e.g. 0.0, which may be passed in the payload from Intercom) into simple "integers" (e.g. 0). Which, when retransformed into JSON, makes the hash difference.

Here you will find Express and Nest -compatible examples of solutions, assuming your issue has the same root: https://stackoverflow.com/questions/54346465/access-raw-body-of-stripe-webhook-in-nest-js/p>

Reply

Join the Intercom Community 🎉

Intercom Customers and Employees

Login to the community

Intercom Customers and Employees

Scanning file for viruses.

This file cannot be downloaded