Microsoft Teams Webhook validation in n8n

Hi, I’m using a webhook in N8N for receive message of Teams.
The Webhooks is ok, but I need make a verification, how can I do?
I’m trying user ChatGPT but without success.

node code:

// Token secreto gerado pelo Microsoft Teams
const secretToken = ‘<SEU_TOKEN_DO_TEAMS>’; // Substitua pelo token gerado

// Obtenha os cabeçalhos e o corpo da requisição
const headers = $json.headers; // Cabeçalhos enviados na requisição
const requestBody = JSON.stringify($json.body); // Corpo da requisição como string

// Assinatura enviada pelo Teams no cabeçalho Authorization
const receivedHMAC = headers.authorization.split(’ ')[1]; // Remove “HMAC”

// Função para gerar HMAC usando SHA-256
function generateHMAC(secret, body) {
const crypto = require(‘crypto’);
return crypto
.createHmac(‘sha256’, Buffer.from(secret, ‘base64’)) // Chave em Base64
.update(body, ‘utf8’) // Atualiza com o corpo da mensagem
.digest(‘base64’); // Retorna o HMAC em Base64
}

// Gera o HMAC
const calculatedHMAC = generateHMAC(secretToken, requestBody);

// Valida a assinatura
if (calculatedHMAC !== receivedHMAC) {
throw new Error(‘Assinatura HMAC inválida’);
}

// Retorna os dados da requisição se a validação for bem-sucedida
return $json.body;

It looks like your topic is missing some important information. Could you provide the following if applicable.

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:

Updating!
For the post don’t die

hi @Matheus_Peixoto

Can you please share the whole workflow so the community can try to help here?

That should give everyone a better picture on what you’re trying to achieve.

Thanks!

of course.

I read this article and did the whole process:

Create an Outgoing Webhook - Teams | Microsoft Learn

but according to the article a validation is required and I don’t know how to do it.

this my workflow and my webhook received.


Same issue here.

Is is possible that there is a bug in the Crypto Node as mentioned here?

I tried several possible solutions e.g. Option keep raw body in the Webhook node as input for the crypto module, but the generated output never matches the Teams authorization HMAC header.

The only working solution I found is an implementation with the code node seen in post to generate the HMAC:

const authHeader = $json["headers"]["authorization"];
const hmacFromHeader = authHeader.replace("HMAC ", "").trim();

// calc HMAC des Request Body
const crypto = require('crypto');
const keyBase64 = "[you key goes here]";
const payload =  JSON.stringify($json.body || $json); 

function hashPayload() {
  const decodedHmacKey = Buffer.from(keyBase64, 'base64');
  return crypto.createHmac('sha256', decodedHmacKey)
               .update(payload)
               .digest('base64');
}

$input.item.json.hash = "HMAC " + hashPayload();

return $input.item;

You can then compare $json.headers.authorization with $json.hash

But this solution has the downside, that the key is stored in the JS module, what I would like to avoid. Any other suggestions?

Maybe it is also possible to access credentials in the JS code so I can seperate the key from the code?