pzurek
commented
8 years ago Well, actually... that was implemented years ago and it works for all the webhooks created via the API by OAuth authorised apps. The reason why it's only those webhooks, is that Vend uses the application's client_secret to sign the webhook and when it's not there, there is simply nothing to sign it with. So, if you get a signed webhook it will have a header like that:
X-Signature: signature=897hRT893qkA783M093ha903f,algorithm=HMAC-SHA256So, you can grab the payload of that webhook, hash it with the client_secret using the algorithm mentioned in the header and compare it to the signature.
I'll make sure to add that to the docs to clarify this for others.
achadee
You guys need to add security to your webhooks, have a look at how shopify does it: https://help.shopify.com/api/tutorials/webhooks
You'll need to pass it as a param on the oAuth callback.
Not the highest priority for us, because we will be adding a param to the webhook URLs to prevent any sort of attack - however you guys should be aware that all your current integrations are easily hackable