From 2dc741238beae0e49951920267461a236f646685 Mon Sep 17 00:00:00 2001
From: Kirill Sizov <kirill.sizov@cvat.ai>
Date: Tue, 24 Jan 2023 18:29:14 +0200
Subject: [PATCH] Fix webhook signature (#5622)

---
 CHANGELOG.md                                  |  1 +
 cvat/apps/webhooks/signals.py                 |  2 +-
 .../docs/administration/advanced/webhooks.md  | 24 +++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 272e1898..2149ff86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   (<https://github.com/opencv/cvat/pull/5557>)
 - Windows Installation Instructions adjusted to work around <https://github.com/nuclio/nuclio/issues/1821>
 - The contour detection function for semantic segmentation (<https://github.com/opencv/cvat/pull/4665>)
+- Delete newline character when generating a webhook signature (<https://github.com/opencv/cvat/pull/5622>)
 
 ### Deprecated
 - TDB
diff --git a/cvat/apps/webhooks/signals.py b/cvat/apps/webhooks/signals.py
index f1da19b9..273f9f9b 100644
--- a/cvat/apps/webhooks/signals.py
+++ b/cvat/apps/webhooks/signals.py
@@ -36,7 +36,7 @@ def send_webhook(webhook, payload, delivery):
             "sha256="
             + hmac.new(
                 webhook.secret.encode("utf-8"),
-                (json.dumps(payload) + "\n").encode("utf-8"),
+                json.dumps(payload).encode("utf-8"),
                 digestmod=hashlib.sha256,
             ).hexdigest()
         )
diff --git a/site/content/en/docs/administration/advanced/webhooks.md b/site/content/en/docs/administration/advanced/webhooks.md
index b6615ed7..ade7a521 100644
--- a/site/content/en/docs/administration/advanced/webhooks.md
+++ b/site/content/en/docs/administration/advanced/webhooks.md
@@ -301,6 +301,30 @@ Example of header value for empty request body and `secret = mykey`:
 X-Signature-256: e1b24265bf2e0b20c81837993b4f1415f7b68c503114d100a40601eca6a2745f
 ```
 
+Here is an example of how you can verify a webhook signature in your webhook receiver service:
+
+```python
+# webhook_receiver.py
+
+import hmac
+from hashlib import sha256
+from flask import Flask, request
+
+app = Flask(__name__)
+
+@app.route("/webhook", methods=["POST"])
+def webhook():
+    signature = (
+        "sha256="
+        + hmac.new("mykey".encode("utf-8"), request.data, digestmod=sha256).hexdigest()
+    )
+
+    if hmac.compare_digest(request.headers["X-Signature-256"], signature):
+        return app.response_class(status=200)
+
+    raise app.response_class(status=500, response="Signatures didn't match!")
+```
+
 ## Ping Webhook
 
 To check that webhook configured well and CVAT can connect with target URL you can use `ping` webhook.