Not able to perform webhook handshake?

English Forum Developers & API
1

Hey everyone,
I have been trying to set up an asana webhook using lambda with an API gateway.
here is lambda’s code I’m using-
import hashlib
import hmac
import json
import logging

logger = logging.getLogger()
logger.setLevel(logging.INFO)

hook_secret = None

def lambda_handler(request, context):
global hook_secret
logging.info(“Headers: \n” + str(request[“headers”]))
logging.info(“Body: \n” + str(request[‘body’]))
if “X-Hook-Secret” in list(request[‘headers’].keys()):
if hook_secret is not None:
logging.warning(
“Second handshake request received. This could be an attacker trying to set up a new secret. Ignoring.”)
else:
# Respond to the handshake request :slight_smile:
logging.info(“New webhook”) # Save the secret for later to verify incoming webhooks
hook_secret = request[“headers”][“X-Hook-Secret”]
header = {‘X-Hook-Secret’: hook_secret}
response = {
‘statusCode’:‘200’,
‘headers’:header,
‘body’:{}
}
return response
elif “X-Hook-Signature” in list(request[‘headers’].keys()):
# Compare the signature sent by Asana’s API with one calculated locally.
# These should match since we now share the same secret as what Asana has stored.
signature = hmac.new(hook_secret.encode(‘ascii’, ‘ignore’),
msg=str(request.data), digestmod=hashlib.sha256).hexdigest()
if not hmac.compare_digest(signature,
request.headers[“X-Hook-Signature”].encode(‘ascii’, ‘ignore’)):
logging.warning(“Calculated digest does not match digest from API. This event is not trusted.”)
return
contents = json.loads(request.data)
logging.info(“Received payload of %s events”, len(contents[“events”]))
return “”
else:
raise KeyError

And this is the response body and header I get while testing my API gateway-

Response Body

{
    "method": "POST",
    "body" : "",
    "statusCode":'200'
}

Response Headers

{"X-Hook-Secret":"xxxxxxxxxxxx","Access-Control-Allow-Origin":"*","X-Amzn-Trace-Id":"Root=1-xxxxxxxxxxxxxxxxxx;Sampled=0","Content-Type":"application/json"}

Every time I try to create a webhook I get an error with the message “The remote server did not respond with the handshake secret.”
I am not sure what I am doing wrong.
Please help me out, guys.

2

Have you checked to make sure you’re seeing “New webhook” in your logs to indicate that you are sending back the handshake reply?

4

@Phil_Seeman
yes, I m getting “New webhook” in the logs.
Could you please tell me the JSON schema of the response?
Do I have pass ‘X-Hook-Secret’ or all the headers received in POST request.

5

I don’t have the complete JSON response handy at the moment, sorry.

Just X-Hook-Secret.

People have had issues with the SSL certificate they’re using and/or configuration at your server; if you haven’t yet, you might search this section of the forum for “The remote server did not respond with the handshake secret” and you’ll find some discussions of those issues.