API Webhooks 403

[onairmarc]

Affected Product Which product does this bug affect? Webhooks

Describe the bug I just received numerous emails stating that the API Webhooks are failing due to a 403 error.

Given that the error is 403 and not 429, I believe our Cloudflare configuration causes this issue. Is there an IP Range that I can whitelist to prevent this from happening in the future?

To Reproduce

1. Setup PCO Webhooks
2. Put Cloudflare in front of your site/app
3. Get large amounts of webhooks sent all at once and watch the failures begin

Expected behavior Webhooks shouldn't be blocked. There needs to be a way to identify them while they are being delivered. The easiest way that comes to mind is that there should be a dedicated IP Range that can be whitelisted

Screenshots

Additional Context:

• Endpoint: Receiving Webhooks
• Language: PHP
• Authentication: N/A. Receiving webhooks

Additional context I contacted PCO Support, who directed me here.

I have..

• [x] Reviewed the documentation found at https://developer.planning.center/docs
• [x] Searched for previous issues reporting this bug
• [x] Removed all private information from this issue (credentials, tokens, emails, phone numbers, etc.)
• [x] Reviewed my issue for completeness

[seven1m]

@onairmarc We use AWS infrastructure for delivering webhooks, so the IP range is out of our control. AWS publishes a list of their IP ranges here: https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html ...but I cannot imagine that is going to be what you want since it's such a large list.

We also sign our webhook deliveries, which is documented here: https://developer.planning.center/docs/#/overview/webhooks ...maybe there's a way you could teach CloudFlare to check that? (Sorry I'm not familiar with CloudFlare, so I don't know.)

Last, you should know that we do back off and retry deliveries later, so your webhooks should get through eventually. I hope that helps!