Asana API Webhooks - verifying X-Hook-Signature in Node & TS

I would like to verify incoming requests from Asana on my server. According to the docs the X-Hook-Signature header is computed over the request body using SHA256 HMAC.

If I try to create the signature using the node built-in crypto library, the resulting hashes don’t match up with the header.

The documentation sadly didn’t specify how exactly the body has to be passed to the function. I tried passing it as string, JSON.stringyfied, Buffer etc. Nothing seems to generate matching signatures.

Currently the sever uses express.json() as middleware, but I also tried using express.raw() & express.text(). I also tried setting up my own middleware that added a req.rawBody property to hold the request body as buffer.

Would be nice if someone could help me out. :slight_smile:

Minimal exmaple in TS: