Answered PASOE Authenticate incoming requests by cross-checking the HTTP header

Cecil

19+ years progress programming and still learning.
OE: 11.7
I'm using the PASOE Web transport.
I need to authenticate the incoming request by cross-checking the HTTP header value "X-WC-Webhook-Signature":U

I need the be able to get the poRequest:Entity value in the memptr unaltered.
Currently, it [poRequest:Entity] is in a JSON construct and can't be cast to a ByteBucket.

The reason for the request body to be loaded into a memptr is so that I can perform a message-digest() function over it and match the has value.

Fragment of my code
Code:
  lcWebhookSignature = poRequest:GetHeader("X-WC-Webhook-Signature":U):value.
            message "X-WC-Webhook-Signature" lcWebhookSignature.
            
            assign
                objRawResponse = cast(poRequest:Entity, ByteBucket)         <--Error: "Invalid cast from Progress.Json.ObjectModel.JsonObject to OpenEdge.Core.ByteBucket. (12869) (12869)"
                objRawPayload = objRawResponse:GetBytes().
                
            message substitute("HMAC-SHA-256 &1 bytes", objRawResponse:size).
            
            lcCalculatedSignature = string(base64-encode(message-digest("HMAC-SHA-256", objRawPayload:value, chConsumerSecret))).
            
            message "Calculated Signature" lcCalculatedSignature.
 

peterjudge

Member
In OE 12.5 and up, there's a GetRawEntity() method that will get you the raw/plain bytes, as a Memptr instance, on the WebRequest. In 11.7 you can use the same approach - see ADE/WebRequest.cls at 8e76c2c7d0eddc3c7d10c613fa17255c1f970b8d · progress/ADE .

Just make sure you clean up after yourself - every time you get the WEB-CONTEXT's FORM-LONG-INPUT you get a deep copy, so which you will need to clean up.

If you do end up using a Memptr class, it has a GetHash method that will produce a digest of the contents , using a given algorithm.
 

Cecil

19+ years progress programming and still learning.
Thanks, Peter!

I completely forgot the PASOE was wapper for the classic WebSpeed.

I've made the code change and in theory, it should work.
 
Top