HMAC authentication of secret and payload in Symfony 5.4

Question

My JavaScript code is making the following POST API call to my endpoint:

const payload = {
   course: args,
   recipient: roomId
};
const signature = this.calculateSignature(JSON.stringify(payload), secret);

const response = await fetch(`https://crmpicco.co.uk/app/api/dsf7s9d8797987897987`, {
   method: 'POST',
   headers: {
      'Content-Type': 'application/json',
      'X-EchoBot-Signature-256': signature 
   },
   body: JSON.stringify(payload)
});

calculateSignature(payload, secret) {
   return "sha256=" + crypto
   .createHmac('sha256', secret)
   .update(payload)
   .digest('hex');
}

in my Symfony 5.4 PHP app I have the following code:

$echoSecret = "0IQgWRFC1872i6AQc3mDo3Dc48UfWATPCoRX";

$encodedPayload = json_encode(json_decode($request->getContent()));
$calculatedSecret = hash_hmac('sha256', $encodedPayload, $echoSecret);
if ($headers['x-echobot-signature-256'][0] == "sha256=" . $calculatedSecret) {
    $this->getLogger()->info('The signature is valid, proceed...', [
        'calculatedSecret' => $calculatedSecret,
        'headerSecret' => $headers['x-echobot-signature-256'][0]
    ]);
} else {
    $this->getLogger()->info('The signature is invalid :(', [
        'calculatedSecret' => $calculatedSecret,
        'headerSecret' => $headers['x-echobot-signature-256'][0]
    ]);
}

Everytime I call the endpoint the authentication fails and falls into the The signature is invalid :( else block.

The request looks like this:

"request":{"stdClass":{"course":["topaid33"],"recipient":"!LjZCWlshucBDhBobTT:crm.com"}},"payload":"{"course":["topaid33"],"recipient":"!LjZCWlshucBDhBobTT:crm.com"}","headers":{"accept-encoding":["gzip, deflate, br"],"content-type":["application/json"],"user-agent":["Amazon CloudFront"],"x-amz-cf-id":["ndCQJ9lvWATP_vSerFFFFaqHBhYqOn_wdSLF2vWBShXCBA=="],"x-cloudfront-key":["RFC1872"],"x-matrixbot-signature-256":["sha256=3577f59ea6f1dd44af8af2e9240093387897897987987a029ccf818ae92ee2cdb99"],"x-forwarded-port":["443"],"x-forwarded-proto":["https"],"content-length":["78"],"via":["1.1 ip-10-82-2-81 (Varnish/7.2)"],"host":["s.crmpicco.co.uk"],"x-varnish":["3735722"],"x-php-ob-level":["1"]

Where am I taking a mis-step here?

Answer 1

compare hashes using the hash_equals function

$signature = $request->header('x-echobot-signature-256');

$computedSignature = hash_hmac('sha256', (string) $request->getContent(), $echoSecret);

hash_equals($signature, $computedSignature)