AMI Security with Non-Python (Node.js)

Going through this implementation, I’m wondering, has this https://support.shotgunsoftware.com/hc/en-us/articles/115000025494-Securing-your-Action-Menu-Items ever be verified with any platform other than Python? I’m trying it in node, and having issues.

Here is a portion of my ported code that is not working form is an object parsed from the request body:

const key = 'my-key';

const sortedParams = [];
for (const [k, v] of Object.entries(form)) {
  if (k !== 'signature') {
    sortedParams.push(`${k}=${v}`);
  }
}
const stringToVerify = sortedParams.sort().join('\r\n');
console.log('stringToVerify:', stringToVerify);

const signature = crypto.createHmac('sha1', key).update(stringToVerify).digest('hex');
console.log('signature (form):', form.signature);
console.log('signature (hmac):', signature);

I have 3 suspicions, either the crypto implementation is different, the sorting, or I’m just missing something obvious.

I found this thread AMI fails to validate from Media page which solved my issue.

The final working example is (NOTICE the && v, and the \r\n movement, those were both needed!):

const key = 'my-key';

const sortedParams = [];
for (const [k, v] of Object.entries(form)) {
    if (k !== 'signature' && v) {
        sortedParams.push(`${k}=${v}\r\n`);
    }
}
sortedParams.sort();

const stringToVerify = sortedParams.join('');
console.log('stringToVerify:');
console.log(stringToVerify);

const signature = crypto.createHmac('sha1', key).update(stringToVerify).digest('hex');
app.log.info('signature (form):', form.signature);
app.log.info('signature (hmac):', signature);