Closed shaun-technovation closed 2 months ago
Hey team! Please add your planning poker estimate with Zenhub @shaun-technovation @viviancan
A few notes/links related to the work I did:
Documentation on creating and setting up the HMAC secret key in DocuSign:
A blogpost from DocuSign on manually verifying a payload with HMAC:
Documentation and code examples (including Ruby) on verifying a payload with HMAC:
I also setup Pagekite locally to test all of this:
This is on Preview. Everything should work as expected, like it is now.
The behind the scenes changes are that now when we receive a webhook payload it will get verified with our secret key (that only DocuSign and we have), if it's valid everything will happen that's happening now (the legal document will get marked as signed). If the payload is not valid, we'll log an error message, and then basically nothing will happen. This makes is so that only verified payloads from DocuSign (who has the secret key) will get processed.
I was able to sign documents on preview and I see the signed stamp on the admin side
Right now the webhook endpoint built in #4691 is a public endpoint, available to anyone. We should lock-down this endpoint so only DocuSign can use it.
From the documentation: