Access raw response body from startTrigger in order to validate HMAC method

I am trying to connect Xero with Retool.

What I plan to do
If I create a new item in Xero, I will send this created item to Retool wrokflow via webhook so that I can update my Retool database.

What I have done
I have defined a workflow with webhook trigger in Retool.
The required configurations for Xero are done correctly (I have tested using ngrok and NodeJs).
Xero successfully calls Retool Workflow.

What I'm stuck on
Xero uses the "Hash-based Message Authentication Code (HMAC)" technique to send webhooks. As you may know, raw request body must be used to validate this type of request, otherwise the validation will not be done correctly.

Problem
How can I access the raw response body (before any json modification)?

Tested solutions
I checked these two topics( Validating Xero webhooks, Is it possible to access a Webhook’s headers from Workflows?), but no answer to this issue was found in them.
If you are considering using javascript methods like Object.toString() and JSON.stringify(), I say that it doesn't work properly and the validation is not done properly and I need the exact raw response body.

1 Like

I must emphasize that I tested the exact same code with NodeJs only with the difference that I used raw response body and it worked correctly. The problem arises when the raw response body is not used.

have you added the crypto library? also, I feel like that warning on line1 says something about no require function being available or is it something unrelated?

image

@bobthebear
crypto is a built-in Node module and it works properly.
My problem is not in the code, the problem is in accessing the raw response body , which I cannot access.

Hi @Abdulla_Rezaei, welcome to the forum! :wave:

Let's try something out. For testing purposes, have your JS block return an object where we can see both values, change line 7 to something like:

return {
  "xeroSignature": xeroSignature,
  "computedSignature": computedSignature
}

Have response block just return code1.data for now.

Running this on the editor won't give us accurate data because it only has access to the test data from the startTrigger block, but when we deploy and run the whole workflow, let's see if we are getting the expected values for each signature by checking the output.

Please share a screenshot of the logs so we can take a closer look.