3 years ago, I created a simple subscriber to the youtube pubsubhubbub api, to get notifications when a new video gets uploaded. This stopped working a few months ago, it worked until then. When I debugged what was happening, I saw that the hmac signature seems to mismatch, causing my server to not process the request.
var checksumHeader = context.Request.Headers["X-Hub-Signature"];
var signature = checksumHeader.ToString().Split('=')[1];
var stream = context.Request.Body;
string body;
using (var reader = new StreamReader(stream, Encoding.UTF8)) {
body = await reader.ReadToEndAsync();
}
var isValid = PubSubSecret.Check(body, signature);
This is my code that processes youtube's POST request. This used to work, but now isValid always returns false.
My Check method:
public static bool Check(string body, string signature) {
using (var hmac = new HMACSHA1(Encoding.UTF8.GetBytes(Secret))) {
var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(body));
var hash = Convert.ToHexString(hashBytes).ToLowerInvariant();
Console.WriteLine("Sig: " + signature);
Console.WriteLine("Computed Hash " + hash);
return signature.Equals(hash);
}
}
If I use the diagnostic tool at , I can see, that youtube gets the correct secret, so this is not the problem. Also, this exact code previously worked, so I wonder what might have changed for this to stop working.
I hope someone can lead me in the right direction about what to check next.
If I copy the string body and secret to one of the many online Hmac SHA1 tools, I get the same hash as my code computes, but not what youtube sends in the header.