I have a webhook setup to send all events for all Entity types and all fields available in the schema, to check if all events can be treated.
Our endpoint validates the token by using the recommended approach:
def validate_sg_secret_token(self, request):
"""
Validate that the SgHook's secret token is valid,
i.e. corresponds to the one set in Shotgun for the Hook.
.. seealso:: https://developer.shotgunsoftware.com/3d448f5e/#signature-verification
:param request: A :class:`HttpRequest` instance.
:returns: A bool, ``True`` if the secret token is valid, ``False`` otherwise.
"""
body = request.body
secret_token = self.secret_token.encode()
generated_signature = "sha1=%s" % hmac.new(secret_token, body, hashlib.sha1).hexdigest()
signature = request.META.get("HTTP_X_SG_SIGNATURE")
if signature == generated_signature:
return True
return False
It works fine for a majority of events, but for some of them, the validation fails:
uploaded_config changed on PipelineConfiguration 72 by user 148
sg_uploaded_movie_mp4 changed on Version 22670 by user 130
sg_uploaded_movie_webm changed on Version 22669 by user 130
For one of these, for example sg_uploaded_movie_mp4, these are the headers:
{
"accept": "application/json",
"user-agent": "SG event-pipeline",
"content-type": "application/json; charset=utf-8",
"x-sg-signature": "sha1=adfafdafjkadl;fjkadlfdjak;fda" (EDITED IT TO NOT HAVE THE REAL SIGNATURE HERE),
"x-sg-webhook-id": "b3abfff7-2009-486d-a158-6a221e12ccce",
"x-sg-delivery-id": "fc846b97-f62c-479a-ae7e-c835da1271bb",
"x-sg-event-batch-id": "49598278149308584818866679699646100057626115312772448658",
"x-sg-event-batch-size": "10",
"x-sg-webhook-site-url": "https://gpltechdemos.shotgunstudio.com/",
"x-sg-event-batch-index": "6"
}
This is the payload:
{
"data": {
"id": "199845.22417.0",
"meta": {
"type": "attribute_change",
"entity_id": 22670,
"new_value": {
"url": "https://sg-media-usor-01.s3-accelerate.amazonaws.com/8e1a9f6b4c4e3aa0ecc356f91937c9d2662fa221/f023b43a84c2f78c6d64ed339d93ea95abdec8f9/ARR0200_comp_VKS_v0048.mp4?response-content-disposition=filename%3D%22ARR0200_comp_VKS_v0048.mp4%22&x-amz-meta-user-id=130&x-amz-meta-user-type=HumanUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAYJG6Z4JI3Y2THCLP%2F20210512%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20210512T210859Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Security-Token=FwoGZXIvYXdzEE4aDCO%2FYVGepp5UoMDPPCKvAXB02uUiFLdQBEm25Jh5YmLA2ENNw7ossBpFeb1VIfl8PHO%2Ff5DwNDoALfIKbu2fygiAUHsX55RS8RjDL8FLVLBti1oDj9XIlgggIDu9dNM5%2Bmr9p6EHIVVwAEwVX8crIfMGHx36VoxqdPSz50UxVw1VjVaJVZQMif7cqLDBgAnFZlBuHRRx0YhkvwX0HHddELHp2Hd5JVioCahdpwCwTmKOnrf4qNhVKdKfxZVX5YQohPLwhAYyLfVo2MxfPIG1iwnmvvuyvQk5C3shue0B0%2BqI5ZQLN6BJK4ZfIrLS3et9qwnmlA%3D%3D&X-Amz-Signature=542ab0e33c93d3f57d4538792de37dbf5de3250a0b5b89f88437f168cbbddb9c",
"icon_url": "/images/filetypes/filetype_icon_misc.png",
"icon_class": "filetype_icon_misc",
"display_name": "ARR0200_comp_VKS_v0048.mp4",
"attachment_id": 39502,
"original_fname": "ARR0200_comp_VKS_v0048.mp4",
"attachment_type": "s3_uploaded_file",
"fullsize_thumbnail_url": null
},
"old_value": null,
"entity_type": "Version",
"attribute_name": "sg_uploaded_movie_mp4",
"field_data_type": "url"
},
"user": {
"id": 130,
"type": "HumanUser"
},
"entity": {
"id": 22670,
"type": "Version"
},
"project": {
"id": 135,
"type": "Project"
},
"operation": "update",
"created_at": "2021-05-12 21:08:59.858456",
"event_type": "Shotgun_Version_Change",
"delivery_id": "fc846b97-f62c-479a-ae7e-c835da1271bb",
"session_uuid": null,
"attribute_name": "sg_uploaded_movie_mp4",
"event_log_entry_id": 2186388
},
"timestamp": "2021-05-12T21:11:27Z"
}
And this is the response body:
Invalid secret token for stress_test_hook at gpltechdemos(https://gpltechdemos.shotgunstudio.com)
Since we don’t have a lot of activity on this test server, I cannot know if there are other Entity types/fields that fail for secret token validation.
Is there something wrong with the code, or why do you think this is not working for certain events?