Documentation Nexus IQ Server 1.30

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

25.3. Working with HMAC Payloads

If you enable a secret key to generate an HMAC digest, a special header is sent with all of your webhook payloads. This header is X-Nexus-Webhook-Signature and ensures that you receive an authentic message.

Webhooks can be consumed easily in node.js. Use the following setup to get started, substituting foo for the secret key you configured with your webhook:

Setup in terminal. 

npm init
npm install express
npm install body-parser
echo {\"secretKey\":\"foo\"} > settings.json

[Note]

When verifying the HMAC digest, the HmacDigest value should match the signature value.

Example Webhook Consumer. 

const express = require(‘express’);
const app = express();
const bodyParser = require(‘body-parser’);
const settings = require(‘./settings.json’);
const crypto = require(‘crypto’);

app.use(bodyParser.json());

app.post('/', function(req, res) {
  const body = req.body;
  const signature = req.headers['x-nexus-webhook-signature'];
  var hmacDigest = crypto.createHmac("sha1", settings.secretKey).update(JSON.stringify(body)).digest("hex");

  console.log('Webhook received');
  console.log('Headers: ' + JSON.stringify(req.headers));
  console.log('Body: ' + JSON.stringify(req.body));
  console.log('HmacDigest: ' + hmacDigest);
  console.log('Signature: ' + signature);
  res.send();
});

app.listen(3000, function() {
  console.log('Server running on port 3000.');
});