Issue with hmac Sha256 and header verification signature PHP


I have this block but I can't verify it with PHP. I don't understand why, I even tried with '123456' as message, but I have two differents strings, so my PHP returns a 403 code. Don't understand why.


In my app :

On my server (in PHP) :

$hash = hash_hmac("sha256", $data, $key_wh, true);
    if (base64_encode($hash) != $signature_from_app_inventor) {

EDIT : it's for checking my received information on my server are really sent by my app (if the message is authentic). It's a signature header with an HMAC SHA256 hashed version of the secret and payload content.

Not sure why you would do this? The whole point of a hash is to store private information on the server, it should be only there as a hash?

of course not, it's a signature to check passed information with an API and https headers.

I need to check if my hash is the same from the other side (with PHP on my server) to get sure my information is provided by my app.

It's a common thing. But in PHP my hash is not the same from the app.

You say the two hashes are not the same, just the hmac hash or when base64 encoded ?

Test just the hmac hashes first...

The two are different.
Really weird.

Here :

Or :

And with PHP :

Got it !! Thanks TIMAI2

Returns a base64 encoded HMAC SHA256 hash
App Inventor Extensions: Tools | Pura Vida Apps

So I just need the HMAC block (not the Base64Encode one because it's already encoded), and for PHP, set "true" for the binary

$key = '])6jkSyuawVzJcL6QQ/%7>G,OT~rWX';
$message = '123456';
$hash = hash_hmac("sha256", $message, $key, true);
echo base64_encode($hash);
1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.