僅為 提供

管理員可以使用 webhooks 來檢查資料存取的完整性,確認通知是真正由 Onshape 所送出,且未在傳輸過程中遭到竄改。啟用 webhook 基本驗證會將授權標頭填入所有 webhook 要求中。

若要巡覽您 Onshape 中的「Webhooks」設定,請按一下 Onshape 視窗右上角的帳戶使用者圖示 (Account user icon)。這樣會開啟一個下拉功能表,然後按一下 [Company/Classroom/Enterprise 設定]。

按一下頁面左側清單中的 [Webhooks]:

Company 設定:Webhooks

Company 設定 > Webhooks

Enterprise 設定:Webhooks

Enterprise 設定 > Webhooks

Administrators can use webhooks to check data access integrity, ensuring that a notification was really sent by Onshape, and that it has not been tampered with in transit. Enabling webhook basic authentication populates the Authorization header in all webhook requests. Webhook signatures configures webhooks to use signatures to protect against attacks. Generate primary and secondary keys to rotate keys in your production application. This allows Administrators to deprecate or swap keys without breaking the current connection. If either key matches, it will be accepted as valid by Onshape. Copy to clipboard sends the related key to your clipboard. Reset removes the key from the related field. Once primary keys are generated, click Save changes to accept the entries.

「Webhooks」對話方塊

管理員應確認所有 webhooks 端點位置 (https) 都是安全的,因為這個資料不是加密的。

會使用下列的結構來將簽章值與 webhook 目標比對:

Signature = <Base64<HMAC256-digest<<timestamp header value>.<webhook payload>>>

Onshape webhooks 包含下列額外的標頭:

  • X-onshape-webhook-timestamp - Time stamp signifying when the webhook was sent

  • X-onshape-webhook-signature-primary - Present if the primary signature key is specified in the company settings

  • X-onshape-webhook-signature-secondary - Present if the secondary signature key is specified in the company settings

JAVA

void matchSignatureHeader(String messageBody, String timestamp, String signatureKey, String signature) throws Exception {

String payload = timestamp + "." + messageBody;
String algorithm = "HmacSHA256";
Mac mac = Mac.getInstance(algorithm);
mac.init(new SecretKeySpec(signatureKey.getBytes(), algorithm));
byte[] payloadBytes = mac.doFinal(payload.getBytes());
Assert.assertArrayEquals(payloadBytes, Base64.decodeBase64(signature.getBytes()));

}

NODE.JS

const crypto = require('crypto');
……
var signatureKey; // The primary or secondary key
var message = timestampHeader + "." + rawPayload; // The timestamp header and the webhook payload
var hashValue = crypto.createHmac('SHA256', signatureKey).update(message).digest('base64');
if (hashValue === signatureHeader) { // signatureHeader is the primary or secondary signature header received with the webhook
// Signatures match
}