AppAuthentication Plug fails authentication for all Messenger webhook events

[sheldonkreger]

API versions tested: 3.2 (oldest available) and 7.0 (latest).

I am trying to determine if this is an issue with my configuration, or if this project needs to be updated for newer versions of the Facebook API. I am interested in volunteering some developer time if updates are required.

I was able to create my Page Subscription using confix.exs and saving my webhook settings at https://developers.facebook.com/apps/my-app-id/webhooks/. My app returns a 200 when this is invoked.

I have also configured a Page with an access token in the Messenger configuration for my FB app. My app receives webhooks when I send a message to my Page via Messenger (as expected). However, this always results in a 401 and a :mb_webserv_payload_failed event. No 200 is sent back to FB.

I placed IO.inspect(error) inside MessengerBot.Web.Renderer.send_error which retuns:

%MessengerBot.Model.Error{ app_id: "my-app-id", code: :unauthorized, details: %{signature: "invalid"}, page_id: nil }

Digging into why the authorization failed, I looked at MessengerBot.Util.Encryption.validate_sha1 and discovered that body is always an empty string. The body field is loaded in MessengerBot.Web.Plug.AppAuthentication.call. Using IO.inspect(conn), it became clear that conn.private.body is an empty string. However, conn.private.app.secret is populated with the expected value from my config.exs.

It may be noteworthy that data related to the request body is contained in conn.body_params. I'm not sure if this data is equivalent to (what should be in) conn.private.body.

My config:
config :messenger_bot, fb_api_version: "v7.0", pages: %{ "xxxxxx" => %{ "xxxxxx" => %{ id: "xxxxxx", name: "My Page Name", access_token: "xxxxx" } } }, apps: %{ "yyyyy" => %{ id: "yyyyy", secret: "abcd", setup_token: "efgh", access_token: "ijkl" } }

I am unsure if this is a misconfiguration on my behalf, or if the authentication code is trying to load parameters which have been moved in newer versions of the FB API. Again, I am willing to volunteer some time to update this project, if needed.

Thank you in advance.

[sheldonkreger]

We discovered that we had a Plug which was causing issues with the body element in conn. We are going to see if there is another way to bring the authentication data into scope. Otherwise, we will just have to address our Plug.