I’m trying to implement a Facebook library with node.js, and the request signing isn’t working. I have the PHP example seen here translated into node. I’m trying it out with the example given there, where the secret is the string “secret”. My code looks like this:

var signedRequest = request.signed_request.split('.');

var sig = b64url.decode(signedRequest[0]);

var expected = crypto.createHmac('sha256', 'secret').update(signedRequest[1]).digest();

console.log(sig == expected); // false

I can’t console.log the decoded strings themselves, because they have special characters that cause the console to clear (if you have a suggestion to get around that please let me know) but I can output the b64url encodings of them.

The expected encoded sig, as you can see on the FB documentation, is

vlXgu64BQGFSQrY0ZcJBZASMvYvTHu9GQ0YM9rjPSso

My expected value, when encoded, is

wr5Vw6DCu8KuAUBhUkLCtjRlw4JBZATCjMK9wovDkx7Dr0ZDRgzDtsK4w49Kw4o

So why do I think it’s digest that’s wrong? Maybe the error is on my side? Well, if I execute the exact example in PHP given in the documentation, the correct result comes out. But if I change the hash_hmac call so the last parameter is false, outputting hex, I get

YmU1NWUwYmJhZTAxNDA2MTUyNDJiNjM0NjVjMjQxNjQwNDhjYmQ4YmQzMWVlZjQ2NDM0NjBjZjZiOGNmNGFjYQ==

Now, if I go back to my javascript code, and change my hmac code to .digest("hex") instead of the default "binary" and log the base64 encoding of the result, I get… surprise!

YmU1NWUwYmJhZTAxNDA2MTUyNDJiNjM0NjVjMjQxNjQwNDhjYmQ4YmQzMWVlZjQ2NDM0NjBjZjZiOGNmNGFjYQ

Same, except the == signs are missing off the end, but I think that’s a console thing. I can’t imagine that being the issue, without them it’s not even a valid base64 string length.

So, how come the digest method outputs the correct result when using hex, but the wrong answer when using binary? Is the binary not quite the same as the “raw” output of the PHP equivalent? And if that’s the case what is the correct way to call it?