Login/Register
How to verify Instagram real-time API x-hub-signature in Java?
Asked Answered
Solved javajsonplayframeworkplayframework-2.0instagram
R

2

1

I'm using Play framework to develop consumer for Instagram real-time API. But still could not perform x-hub-signature verification properly. So, how can we perform Instagram x-hub-signature verification using Java and Play framework?

Here is my current code:

  1. From the Play framework, I obtain the JSON payload using this method:

    public static Result receiveInstaData(){
    JsonNode json = request().body().asJson();

    //obtain the x-hub-signature from the header
    //obtain the corresponding client secret

    VerificationResult verificationResult =  
        SubscriptionUtil.verifySubscriptionPostSignature(
            clientSecret, json.toString(), xHubSignature);

    if(verificationResult.isSuccess()){
    //do something
    }
 }

  2. Then inside the SubscriptionUtil, I perform verification using this following code:

    public static VerificationResult verifySubscriptionPostSignature(String clientSecret, String rawJsonData, String xHubSignature) {
    SecretKeySpec keySpec;
    keySpec = new SecretKeySpec(clientSecret.getBytes("UTF-8"), HMAC_SHA1);

    Mac mac;
    mac = Mac.getInstance(HMAC_SHA1);
    mac.init(keySpec);

    byte[] result;
    result = mac.doFinal(rawJsonData.getBytes("UTF-8"));
    String encodedResult = Hex.encodeHexString(result);

    return new VerificationResult(encodedResult.equals(xHubSignature), encodedResult);
   }

I created a standalone Python script that copies the instagram-python implementation and both of them produce the same results for the same clientSecret and jsonString. Maybe I should provide with raw binary data instead of String.

If let's say we need a raw binary data for JSON request, then I need to create my custom BodyParser to parse the JSON request to raw binary data[5]

References:

[1-4]http://pastebin.com/g4uuDwzn (SO doesn't allow me to post more than 2 links, so I put all the references here. The links contain the signature verification in Ruby, Python and PHP)

[5]https://groups.google.com/forum/#!msg/play-framework/YMQb6yeDH5o/jU8FD--yVPYJ

[6]My standalone python script: #! /usr/bin/env python

import sys
import hmac
import hashlib

hc_client_secret = "myclientsecret"
hc_raw_response = "[{\"subscription_id\":\"1\",\"object\":\"user\",\"object_id\":\"1234\",\"changed_aspect\":\"media\",\"time\":1297286541},{\"subscription_id\":\"2\",\"object\":\"tag\",\"object_id\":\"nofilter\",\"changed_aspect\":\"media\",\"time\":1297286541}]"

client_secret = hc_client_secret
raw_response = hc_raw_response

if len(sys.argv) != 3:
    print 'Usage verify_signature <client_secret> <raw_response>.\nSince the inputs are invalid, use the hardcoded value instead!'
else:
    client_secret = sys.argv[1]
    raw_response = sys.argv[2]  

print "client_secret = " + client_secret
print "raw_response = " + raw_response

digest = hmac.new(client_secret.encode('utf-8'), msg=raw_response.encode('utf-8'), digestmod=hashlib.sha1).hexdigest()
print digest
Radiothorium answered 18/12, 2013 at 12:54 Comment(0)
R
2

Finally I managed to find the solution. For the Controller in Play Framework, we need to use BodyParser.Raw so the we can extract the payload request as raw data, i.e. array of bytes.

Here's the code for the controller in Play Framework:

@BodyParser.Of(BodyParser.Raw.class)
public static Result receiveRawInstaData(){
    Map<String, String[]> headers = request().headers();
    RawBuffer jsonRaw = request().body().asRaw();

    if(jsonRaw == null){
        logger.warn("jsonRaw is null. Something is wrong with the payload");
        return badRequest("Expecting serializable raw data");
    }

    String[] xHubSignature = headers.get(InstaSubscriptionUtils.HTTP_HEADER_X_HUB_SIGNATURE);
    if(xHubSignature == null){
        logger.error("Invalid POST. It does not contain {} in its header", InstaSubscriptionUtils.HTTP_HEADER_X_HUB_SIGNATURE);
        return badRequest("You are not Instagram!\n");
    }

    String json;
    byte[] jsonRawBytes;

    jsonRawBytes = jsonRaw.asBytes();
    json = new String(jsonRawBytes, StandardCharsets.UTF_8);

    try {
        String clientSecret = InstaSubscriptionUtils.getClientSecret(1);
        VerificationResult verificationResult = SubscriptionUtil.verifySubscriptionPostRequestSignature
                (clientSecret,jsonRawBytes, xHubSignature[0]);
        if(verificationResult.isSuccess()){
            logger.debug("Signature matches!. Received signature: {}, calculated signature: {}", xHubSignature[0], verificationResult.getCalculatedSignature());
        }else{
            logger.error("Signature doesn't match. Received signature: {}, calculated signature: {}", xHubSignature[0], verificationResult.getCalculatedSignature());
            return badRequest("Signature does not match!\n");
        }
    } catch (InstagramException e) {
        logger.error("Instagram exception.", e);
        return internalServerError("Internal server error. We will attend to this problem ASAP!");
    }

    logger.debug("Received xHubSignature: {}", xHubSignature[0]);
    logger.info("Sucessfully received json data: {}", json);

    return ok("OK!");
}

And for the code for method verifySubscriptionPostRequestSignature in SubscriptionUtil

public static VerificationResult verifySubscriptionPostRequestSignature(String clientSecret, byte[] rawJsonData, String xHubSignature) throws InstagramException{
    SecretKeySpec keySpec;
    keySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), HMAC_SHA1);
    Mac mac;

    try {
        mac = Mac.getInstance(HMAC_SHA1);
        mac.init(keySpec);
        byte[] result = mac.doFinal(rawJsonData);
        String encodedResult = Hex.encodeHexString(result);

        return new VerificationResult(encodedResult.equals(xHubSignature), encodedResult);
    } catch (NoSuchAlgorithmException e) {
        throw new InstagramException("Invalid algorithm name!", e);
    } catch (InvalidKeyException e){
        throw new InstagramException("Invalid key: " + clientSecret, e);
    }
}

I implemented this solution in jInstagram, here is the link to the source code: SubscriptionUtil

Radiothorium answered 24/12, 2013 at 14:0 Comment(1)
One may use <dependency> <groupId>commons-codec</groupId> <artifactId>commons-codec</artifactId> <version>1.15</version> </dependency> for the Hex class. Getting the body as byte[] for the signature checking is keyVereen
V
0

Important imports:

import org.apache.commons.codec.binary.Hex;

import javax.crypto.Mac;

import javax.crypto.spec.SecretKeySpec;

Another simple example:

public boolean isValidSignature(byte[] payload, String signature) throws NoSuchAlgorithmException, InvalidKeyException {

    signature = signature.replace("sha256=", "");

    Mac sha256_HMAC = Mac.getInstance(HMAC_SHA_256);
    SecretKeySpec secretKeySpec = new SecretKeySpec("youSecret".getBytes(), HMAC_SHA_256);
    sha256_HMAC.init(secretKeySpec);

    byte[] hash = sha256_HMAC.doFinal(payload);
    String message = Hex.encodeHexString(hash);
    boolean isValid = message.equals(signature);

    System.out.println(String.format("Signature is valid: %b [payload: %s] [signature: %s]", isValid, new String(payload, Charset.defaultCharset()), signature));
    return isValid;
}
Vereen answered 12/3, 2023 at 17:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.