Forbidden - failed verifySignature

ehsankhodayar · May 28, 2022, 10:05pm

I have set up some smart apps on both AWS Lambda and Webhook (Glitch) successfully. Now, I want to run my smart app on Webhook using my localhost. So, I have used Hookdeck to create a URL to receive events from the SmartThings platform and then send them to my smart app on localhost. I can successfully verify my app in the developer work space with the link that it sends to my smart app. The problem is that I can receive data from the platform, but when I want to send requests from my smart app to the platform using the API, it gives me the following error:

2022-05-28T21:43:39.145Z error: Forbidden - failed verifySignature
2022-05-28T21:43:39.147Z error: Unauthorized

I think it is because of the authorization token. The platform is sending request to the URL which has been generated by Hookdeck, but I am sending requests to the platform from my smart app not in the same way (i.e., through Hookdeck). How can I solve this issue?

nayelyz · May 30, 2022, 9:15pm

Please, check if the workaround I included in this post works for you:

ehsankhodayar · May 31, 2022, 2:22pm

Thank you very much for your response. I have solved my problem by buying a personal DNS and making a tunnel from my localhsot to the DNS server. However, I have also tested your solution and still have the same problem. I share the first block of my code that may help you more.

const express = require('express');
const SmartApp = require('@smartthings/smartapp');
const server = module.exports = express();
server.use(express.json());

const app = new SmartApp();

server.get('/', (req, res) => {
  res.send('Turns on and off a light when something opens and closes');
});

/* Handles lifecycle events from SmartThings */
server.post('/', async (req, res) => {
    app.handleHttpCallback(req, res);
});

I have changed my post method to yours but nothing changed and still the same error:

server.post('/', (req, res, next) => {
    req.url = req.originalUrl;
    app.handleHttpCallback(req, res);
});

nayelyz · May 31, 2022, 2:28pm

Mmm maybe the URL is modified somewhere else, have you checked the content of those variables to see if they are correct?

If you already solved the issue, then you can leave it as it is.

ehsankhodayar · May 31, 2022, 3:03pm

I checked both values, including req.url and req.originalUrl, before applying any modification, and both of them were:

/

nayelyz · May 31, 2022, 4:53pm

Oh, I just checked and the team applied a change directly to the SmartApp SDK to avoid this issue, just make sure you have the latest version of the SDK:

github.com/SmartThingsCommunity/smartapp-sdk-nodejs

fix: Handle re-written URLs in HTTP signature validation

SmartThingsCommunity:master ← bflorian:http-signature-url

opened 01:51PM - 13 May 21 UTC

bflorian

+491 -161

The HTTP signature validation library used by the SDK runs into issues with syst…ems that re-write the request url, such as nginx and the AWS API gateway. This issue with the library provides more information: https://github.com/joyent/node-http-signature/issues/87 This PR also properly moves the snyk package to be a dev dependency, to reduce package since. ## Types of changes - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [x] I have read the **[CONTRIBUTING](/CONTRIBUTING.md)** document - [x] My code follows the code style of this project (hint: install an [xo editor plugin](https://github.com/xojs/xo#editor-plugins)) - [ ] Any required documentation has been added - [ ] I have added tests to cover my changes

So that workaround isn’t necessary anymore, you mentioned you solved it here:

So, that’s the way to go.
Sorry for the confusion, I just remembered the case which was reported a long time ago and thought the workaround was still necessary but I was wrong.

ehsankhodayar · June 2, 2022, 3:44am

Thank you very much for your help. Yes, the problem may rooted in the the SDK version because I have used one of the available simple examples, which is about controlling the smart light.

Humancell · June 12, 2022, 7:43pm

Hello,

I’m running into this exact same issue … and it might not be the host name in my case. I am using these latest SDK that is mentioned above, and still failing.

What parameters exactly are used to create the signature? I’m using Apache mod_proxy to provide my HTTPS endpoint, passing through to node.js / Node-RED (specifically this awesome project: GitHub - otaviojr/node-red-contrib-smartthings: Allows you to control your devices and get their status using NodeRed)

In doing my proxy I am passing through from:

https://myhost.com/nodered/smartthings/smartapp

to

http://myotherhost.com:1880/smartthings/smartapp

Now the URL is being passed through using the ProxyPreserveHost parameter, however I wonder if the port number is being used in the signature?

How can I see to better understand exactly what is being used in the signature that might be causing this?

nayelyz · June 13, 2022, 3:37pm

This is the library used to check the HTTP signature in the SmartApp SDK: http-signature - npm
It would be useful to check that library separately in another project to see how it reacts.

Humancell · June 14, 2022, 2:08pm

Yes, I’ve been Googling extensively to see how it is used by various projects. I’m now building a way to trace the request payloads before and after the proxy to see how it is being modified to fail the verification.

It’s funny how many issues customers are having with this, and how little has been done to rectify the issue or better support a work around. :-/

This is a pretty standard configuration to front-end a set of servers in a more commercial setting, but I guess that the APIs and webhooks weren’t originally designed to support business customers very well.

I’ll continue to update this thread as I continue to dig into this, and would have hoped that someone at Samsung in engineering could have provided a little more information to assist in resolving this.

Topic		Replies	Views
Verifying HTTP Signature (Webhook SmartApp, node.js) Writing SmartApps	2	1365	September 6, 2018
SmartApp public key Support	1	593	August 26, 2020
Not able to verify WebHook SmartApp Support	32	1366	October 3, 2023
SmartThings is not able to verify the registration of the WebHook SmartApp Support	6	188	July 10, 2024
SmartApp Registration fails verification - never ever hits my web app Apps & Clients smartapp , developers	0	330	February 13, 2023

Forbidden - failed verifySignature

Related topics