Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Devpl 2719 hmac verification #62

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Devpl 2719 hmac verification #62

wants to merge 3 commits into from

Conversation

KeithRyanWong
Copy link
Collaborator

JS SDK changes: webflow/js-webflow-api#214

Description

Developer documentation will be updated to push users to use the SDK rather than build their own solution to verify signatures. The reason is because we may change signature generation in the future, and using the SDK will allow users to simply update the WebflowAPI package. This means that the function signature should remain the same between versions. However, because Request objects vary between server implementations, I don't think it's feasible to allow users to pass in the request-like object to the function and expect things to work. Since HMAC generation will always include a secret key, header information, and the request body– I think we can safely require users to pass in these parameters in the expected format without breaking them in the future.

  1. If we need access to the request body fields, we can always transform it into a JSON object.
  2. While headers may be subject to change, passing in the whole headers collection as a record allows us the flexibility to access whatever we need.

Here's a link to the related PR for updating the docs:
https://github.com/webflow/openapi-internal/pull/342

Usage

To use the new function, users will break the http request down into its relevant parts and pass them into the function, which will return a promise that resolves to a Boolean representing whether the signature is valid.

Example

    @app.post('/webhookEndpoint')
    async def webhook_endpoint_handler(
        request: Request,
    ):
        # Read the request body as a utf-8 encoded string
        body = (await request.body()).decode("utf-8")  
    
        # Extract the headers as Mapping-like object
        headers = request.headers

        secret = get_secret()
        
        verified = verify(
            headers=request.headers, 
            body=(await request.body()).decode("utf-8"), 
            secret=new_webhook.secretKey)

        if verified:
            # ...process the request normally
        else:
            # ...handle unathenticated request

Test Plan

OAuth App generated webhooks

OAuth App generated webhooks will not have a secret key and will continue to use the associated Client Secret to verify HMAC signatures as detailed in the Working with Webhooks documentation
To test:

  1. Generate a webhook through the Auth'd application
  2. Trigger the webhook, setup your handler to pass in the Client Secret Key into the secret field of the of the #verify function

New client only Secret Key

  1. In the Webflow dashboard, navigate to a site's Apps & Integrations tab and add a new webhook
  2. Add the generated Secret Key to your local application and setup your handler to pass it into the secret field of the of the #verify function
  3. Trigger the webhook

@KeithRyanWong KeithRyanWong requested a review from zplata February 21, 2025 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zplata zplata Awaiting requested review from zplata

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@KeithRyanWong