Authenticating Todoist Webhook Requests

San · September 24, 2021, 9:29pm

For anyone trying to figure out how to authenticate Todoist’s webhook requests, I thought I’d share my findings.

Jumping to the Point
Use the crypto node to JSON stringify the raw values from the Todoist node’s body object. This can be compared to the hmac in the webhook request headers.

Example of how to JSON stringify the raw values:
{{JSON.stringify($node["Todoist Node"].json["body"])}}
(Change “Todoist Node” to the name of your todoist node)

Details
As Todoist’s documentation explains, a webhook request’s X-Todoist-Hmac-SHA256 header can be compared to authenticate the source of the request. Simply generate a SHA256 Hmac of the entire request payload encoded in base64 and compare.

To do so, use the Crypto node. Settings are as follows:
Action: Hmac
Type: SHA256
Value: {{JSON.stringify($node[“Name of Your Todoist Node”].json[“body”])}}
Secret: Your Todoist client secret
Encoding: BASE64

The resulting output can be compared with the X-Todoist-Hmac-SHA256 header Todoist has provided with the request.

Example workflow provided here

RicardoE105 · September 24, 2021, 9:35pm

Thanks for sharing @San

San · September 24, 2021, 9:53pm

Hope it’s helpful!

Here’s an example workflow in case anyone can use it:

Philippe · December 8, 2022, 5:40pm

Hello @San and all the community!

Thanks a lot, it works great!
I’m trying to use it to update a list of Task into Notion. “Take some action” works only if there is no date into the Todoist Task.
I need to add into the Notion Task the Due date:
{{ $node[“Webhook Authenticator”].json[“body”][“event_data”][“due”][“date”] }}
result is: 2022-12-09

So I need to format the date before the Notion Node? Can you help me on this?

Many thanks in advance!

Philippe

Philippe · December 11, 2022, 11:48am

I recognize my mistake in the workflow before! I’m a newbiue hence why I had left the “Take Some Action”
Anyway, I’m still having an issue with the Todoist Webhook.
It works fine when there is no due date. Both Token match.
When a date is mentioned in Todoist then:
{{$node[“Todoist Webhook”].json[“headers”][“x-todoist-hmac-sha256”]}}
Becomes different to
{{$node[“Webhook Authenticator”].json[“data”]}}

I read in Todoist documentation that manipulating dates is complex due to specificity of Todoist but I do not understand why the date would have an impact with Authentication…

I hope someone have had already a similar issue

Thanks in advance

MutedJam · December 15, 2022, 10:39am

Hi @Philippe, it might be worth opening a separate topic for this and sharing some example data you are receiving from Todoist as well as the exact error you are seeing. This way, other users who don’t use Todoist directly might be able to help.

Philippe · December 15, 2022, 11:36am

Indeed, @MutedJam, sorry.

I just created the topic.

Thanks!

MutedJam · March 15, 2023, 11:37am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.