Undefined array key "X-Square-HmacSha256-Signature

wizard2475 · August 19, 2023, 4:44pm

I keep getting this error Undefined array key "X-Square-HmacSha256-Signature

Here is the code:

function isFromSquare($signature, $body) {
$hash = hash_hmac(“sha256”, NOTIFICATION_URL, $body, SIGNATURE_KEY, true);
return base64_encode($hash) == $signature;
}

$headers = apache_request_headers();
$signature = $headers[“X-Square-HmacSha256-Signature”];

my php version is 8.0

Bryan-Square · August 21, 2023, 4:08pm

Are you getting this with our example Webhook event notification validation in PHP?

<?php

require 'vendor/autoload.php';
use Square\Utils\WebhooksHelper;

// The URL where event notifications are sent.
define("NOTIFICATION_URL", "https://example.com/webhook");

// The signature key defined for the subscription.
define("SIGNATURE_KEY", "asdf1234");

// Start a simple server for local testing.
// Different frameworks may provide the raw request body in other ways.
// INSTRUCTIONS
// 1. Run the server:
//    php -S localhost:8000 server.php
// 2. Send the following request from a separate terminal:
//    curl -vX POST localhost:8000 -d '{"hello":"world"}' -H "X-Square-HmacSha256-Signature: 2kRE5qRU2tR+tBGlDwMEw2avJ7QM4ikPYD/PJ3bd9Og="

$headers = apache_request_headers();
$signature = $headers["X-Square-HmacSha256-Signature"];

$body = '';   
$handle = fopen('php://input', 'r');
while(!feof($handle)) {
    $body .= fread($handle, 1024);
}

if (WebhooksHelper::isValidWebhookEventSignature($body, $signature, SIGNATURE_KEY, NOTIFICATION_URL)) {
    // Signature is valid. Return 200 OK.
    http_response_code(200);
    echo "Request body: $body\n";
} else {
  // Signature is invalid. Return 403 Forbidden.
  http_response_code(403);
    // Signature is invalid. Return 403 Forbidden.
    http_response_code(403);
}
return http_response_code();
?>

Do you have any additional details? Also whats your application ID?

mojofo · August 24, 2023, 4:02am

Hi wizard2475 (and Bryan-Square)
Had a similar issue so wrote header response to a database and found that the header key is actually ‘X-Square-Hmacsha256-Signature’ instead of ‘X-Square-HmacSha256-Signature’. This edit worked for me.

Bryan-Square · August 24, 2023, 5:01pm

Thanks for sharing your findings. @wizard2475 did the change to X-Square-Hmacsha256-Signature work? I’ll be sharing this with the team.

mojofo · August 24, 2023, 11:59pm

Yes, appears it is just a typo

wizard2475 · August 25, 2023, 11:44am

Bryan,
That fixed the one error but I’m still getting response codes 302. Looks like I’m still missing something

Thank You
Mark

Bryan-Square · August 25, 2023, 5:13pm

Wasn’t aware of the 302 response. Is that an HTTP response? What’s the error?

wizard2475 · August 25, 2023, 7:36pm

Here’s what it said:

square-initial-delivery-timestamp: 2023-08-25T10:25:30Z
x-square-signature: XXX(removed)
content-length: 1453
square-environment: Sandbox
square-retry-number: 14
square-version: 2023-07-20
host: yourcitysafe.com
content-type: application/json
x-square-hmacsha256-signature: RxWiS7Js8KlT8lE2poqkNLXh4FPtNtTVWr2OpR3x0+c=
square-retry-reason: http_error
accept: */*
user-agent: Square Connect v2

{
  "merchant_id": "ML081T3MA6AEZ",
  "type": "payment.updated",
  "event_id": "1a10eef7-ae15-3608-a684-b3f3f3624455",
  "created_at": "2023-08-25T10:25:28.124Z",
  "data": {
    "type": "payment",
    "id": "(removed)9MZY",
    "object": {
      "payment": {
        "amount_money": {
          "amount": 3016,
          "currency": "USD"
        },
        "application_details": {
          "application_id": "sandbox-sq0idb-XV8bg17cydkbTE6j7gd2hw",
          "square_product": "ECOMMERCE_API"
        },
        "approved_money": {
          "amount": 3016,
          "currency": "USD"
        },
        "card_details": {
          "avs_status": "AVS_ACCEPTED",
          "card": {
            "bin": "510510",
            "card_brand": "MASTERCARD",
            "card_type": "CREDIT",
            "exp_month": 4,
            "exp_year": 2025,
            "fingerprint": "sq-1-guPiWQoq5SeyicrKBtkpL-9nlDXG3Pgoz6ubvfP7brymoBfXCBYbWU1fiBOL0cP2fA",
            "last_4": "5100",
            "prepaid_type": "NOT_PREPAID"
          },
          "card_payment_timeline": {
            "authorized_at": "2023-08-25T10:25:26.505Z",
            "captured_at": "2023-08-25T10:25:26.578Z"
          },
          "cvv_status": "CVV_ACCEPTED",
          "entry_method": "KEYED",
          "statement_description": "SQ *DEFAULT TEST ACCOUNT",
          "status": "CAPTURED"
        },
        "created_at": "2023-08-25T10:25:26.392Z",
        "delay_action": "CANCEL",
        "delay_duration": "PT168H",
        "delayed_until": "2023-09-01T10:25:26.392Z",
        "id": "b7PCXytqj1imG12yomXUVyHuK9MZY",
        "location_id": "L0VB77Z2J928B",
        "order_id": "PlEFCgyz0ByJMPxIxGLCHXLfoBLZY",
        "receipt_number": "b7PC",
        "receipt_url": "https://squareupsandbox.com/receipt/preview/b7PCXytqj1imG12yomXUVyHuK9MZY",
        "source_type": "CARD",
        "status": "COMPLETED",
        "total_money": {
          "amount": 3016,
          "currency": "USD"
        },
        "updated_at": "2023-08-25T10:25:28.121Z",
        "version": 2
      }
    }
  }
}

Bryan-Square · August 25, 2023, 8:18pm

Okay, great! That’s the webhook event. I took a look at your logs and see the 302 you mentioned. That’s the response from your server that’s logged. A 302 is a found response. We recommend that you respond with a 2xx within 10 seconds of receiving the event.