How to allow Razorpay Webhook in Cloudflare bot-fight-mode? - webhooks

In our Application, We have enabled Razorpay Webhook for seamless payment.
During development testing I have used ngrok. It is working fine.
My production server is protected by cloudflare and enabled with bot-fight-mode.
When the payment is success. POST request is sent by razor-pay web-hook. But it has been blocked by cloudflare bot-fight-mode.
So I created a firewall rule to allow it.
Still Webhook is blocked by cloudflare?
What should I need to do to allow razorpay webhook to bypass cloudflare by blocking other bots?
Thanks in advance.

I came here looking for an answer too but I don't think it is possible unless you have an enterprise account:
https://community.cloudflare.com/t/questions-about-cloudflare-super-bot-fight-mode/256213/40
Whilst this thread is referring to Super Bot Mode I believe the principal is the same and it is only with an enterprise account that you can chose which URIs to target and bots to allow through.
Update: I've ended up disabling Bot Fight Mode and will use Fail2Ban on my server and the CloudFlare API to block the IP addresses at their end.

Related

How to secure and restrict Azure Bot incoming request when channel is Direct Line

I am looking for solution to secure Azure Bot when the communication channel is Direct Line,
The WebChat code is embedded as IFrame in one of internal site and i want the incomming traffic to be restricted to only specific IP/url.
There are security guideline documented on MS site, but those talks more about authentication and token based secure access. (https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-security-guidelines?view=azure-bot-service-4.0)
I wish to implement secure flow where the bot app service (or related services should not accessible from out side network.)
There is well defined document about how one can secure Microsoft Teams channel bot and web app behind a firewall (https://learn.microsoft.com/en-us/azure/architecture/example-scenario/teams/securing-bot-teams-channel) but it seems the difference is the TEAMS have list of IP range defined. (Could i use similar setup for direct line ?)
Could anyone please help to understand how i can secure bot services behind firewall, VN, Route table to restrict traffic from outside world ?
Or direct me to any article/document/reference that could help me to achieve this.
Thank you.

Debug WeChat OAuth2 in localhost testing environment

I would like to implement a web application for a company in China. I need to use WeChat mini-APP to make the sign-up/login straight-forward.
Please correct my assumptions if I am wrong:
To implement the login of the website from WeChat, I need to use the OAuth2 protocol
I also need to create a WeChat developer account under a real name (need ID card or business registration stuff) if I want to diffuse the application
I also need to register a domain name to WeChat so that they can allow OAuth2 authentication to this domain name
Question: can I still use my localhost virtual machine to develop my server?
(I didn't try but I assume WeChat will reject to create an OAuth2 token for localhost 127.0.0.1)
Or do I need to have a development domain name with a development server available from the Internet so that I can debug the OAuth2 authentication?
EDIT 1: I tried to send a HTTPS POST request https://127.0.0.1:8080 and I got an error linking to this URL
https://developers.weixin.qq.com/miniprogram/dev/framework/ability/network.html
EDIT 2: I tried to send a HTTPS POST request https://192.168.1.148:8080 which correspond to my dev computer and I got the error VM17415:1 Cannot send network request to localhost. (My test phone and computer both connected to network 192.168.1.x trough WiFi)
The documentation is available in English on the official WebSite [1]. It is written: network APIs allow communication with LAN IP addresses. So basically, if the phone is connected to the same network as the virtual machine (i.e. WiFi), one should be able to send any kind of HTTP/HTTPS request properly.
Note that the development environment WeChat DevTools block this feature by default. In order to enable it, the user should open the Project Settings and check the box 'Does not verify valid domain names, web-view (business domain names), TLS versions and HTTPS certificates.'.
[1] https://developers.weixin.qq.com/miniprogram/en/dev/framework/ability/network.html

Duplicate messages on Azure Web API

I am working on web application that has angular 4 on frontend and WEB API on backend. This application is hosted on MS Azure and until now we didn't have any issues.
Currently we need to integrate with one payment provider. During payment user is redirected to his payment page, and if everything goes well user is redirected back to our web site. Beside the browser redirect (which may fail) payment provider supports server to server call (HTTP GET). In this way they make sure we get information about the transaction. The problem here is that instead of one call to our Web API backend we get always two calls. After checking the request origin IP addresses I concluded that there is two origins (one is payment provider address and another is IP located in USA, which I assume belongs to MS). This looks to me like a routing problem, but I am not very experienced at this.
Did anybody have similar problem on Azure while hosting web application ?
According to your decription, it seems that fails for cross domain request. Azure website is supposed to manage CORS for you.
I think you missed a handy Azure website blade: Specify the origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). To allow all, use "*" and remove all other origins from the list. Slashes are not allowed as part of domain or after TLD.
Cross-Origin Resource Sharing (CORS) allows JavaScript code running in a browser on an external host to interact with your backend. Specify the origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). To allow all, use "*" and remove all other origins from the list. Slashes are not allowed as part of domain or after TLD.

DocuSign Connect Not Sending Out XML Messages

I am trying to get DocuSign Connect to make HTTP Post request to my URL.
I have done some testing with POSTMAN app on google chrome and I am able to process the DocuSign XML Messages sent through this HTTP Post Request.
Attached is my setup.
I am unable to receive any messages from DocuSign (I have tried both sending and signing) and additionally I do not see any logs under Logs or Failures.
Is there any possible reason for this?
Updates: I was using a Self-Signed Certificate on my application and hence DocuSign was unable to post the XML message to my web service.
This has been resolved after installation of a DocuSign accepted certificate.
Assuming your account is configured properly for Connect and you do not see anything in the logs or failures here's some possible reasons:
Security software or firewall on your side blocking/catching the message before it reaches your listener
You are filtering for an envelope you do not have permission to.
Your tests are invalid (i.e. you've configured for a signing event but the user is declining or taking some other action).
Also, I just realized you don't have Require Acknowledgement enabled in your Connect config- try turning that on to see if any failures start showing up. Here's the description from the docs of this option:
"Require Acknowledgment: Select this option to log posting failures. DocuSign waits 100 seconds for an acknowledgement before recording a failure. DocuSign logs a failure if the attempt to reach the external endpoint returns anything other than an HTTP 200. The acknowledgment failure messages are logged on the Failures page, which is accessed by clicking FAILURES on the Connect page. When this option is selected, DocuSign will automatically attempt to repost any failures. You can also manually repost from the Failures page."
Check that you have "Connect" enabled as one of the account's features. Do this using the admin tool (New DocuSign Experience) or Preferences in Classic.
Also, if you're trying out Connect on a production account, only some types of accounts include the Connect feature. Contact your Account Manager if it isn't enabled.
All Developer Sandbox accounts on the demo platform do include Connect.
All account types support webhook subscriptions at the envelope level using the eventNotification feature.
Are you using production account or sandbox account for docusign connect.. You must include the protocol HTTP or HTTPS in the web address for sandox account and you must include HTTPS:// in the web address for Production accounts because SSL is required in Production account. Docusign Connect sends the xml to the default ports of 443 for HTTPS: and 80 for HTTP. If you cannot use port 443 for Production contact DocuSign to review possible options. Check this link for docusign connect technical information.. Hope you have handled the server side of it (i.e, the url which you have mentioned in the URL to publish) inorder to get the response from the docusign to the desired url when some event happens..
For example:
If you are using sandbox docusign account for Connect means, URL to publish as to be something like this http://domain.com/Home/DocuConnect (Hosted application port number as to be 80). For sandbox account,docusign connect are enabled defaultly for all the users.
If you are using production account for Connect means, URL to publish as to be something like this https://domain.com/Home/DocuConnect (Hosted application port number as to be 443). In some cases docusign connect are enabled based on the respective subscription plans. To check that go to features tab see for Docusign Connect and try to tick the checkbox and if it is not checked then you got to contact the Docusign Account Manager.

is there anyway to test google webhook without having any registered domain over ssl?

I am writing something where my program expecting a webhook callback when something changes on google drive in a specific file, I am through with business logic however I am unable to get webhook callbacks as I don't have any secured domain over SSL, could anyone please suggest any alternative way to test these webhook callbacks in development environment ? appreciate every read and comment.
If you own a domain you can forward it to AWS servers and they provide free SSL certs, Otherwise you can use the service LetsEncrypt https://letsencrypt.org/ to secure your website.

Resources