I am trying to figure out how to verify the x-asana-request-signature header sent along with the payload.data blob with my Client Secret inside of a Mulesoft 4 application (Dataweave 2.0 scripting).
%dw 2.0
import dw::Crypto
output application/json
var provided = (attributes.headers["x-asana-request-signature"] default "") as String
var secret = (Mule::p("secure::asana.clientSecret") default "") as String
var message = (payload.data default "") as String
var computed = Crypto::HMACWith(message as Binary, secret as Binary, "HmacSHA256") as String
---
{
isValid: provided == computed
}
I’ve tried this in 2 separate Asana workspaces (obviously with different client secrets) and the result is always FALSE.
I’m assuming there’s some issue with the payload.data message Binary conversion?
The secret for HMAC signatures is not the OAuth client secret. It is per webhook subscription and is returned in a header when you make the POST to create the subscription. Sorry I don’t have a link to the API reference handy but should be there and in the webhooks guide page.
I am not trying to use Webhooks - I am using the External Rule system.
For both types of requests, the secret used to compute the signature is your app’s client secret which can be found in the OAuth tab for the app in the developer console.
When I use the OAuth client secret in either of my 2 workspaces, this calculation fails. Is there a different page / secret to use?