We're currently implementing Mailgun's webhook to convert an email reply to a reply in a comment thread in our application. We set up a route to match the recipient and set the action to store(notify="https://example.com/example-endpoint"). Mailgun POSTs data to the given endpoint where we then process the message and add it to the application comment thread.
My question is this:
How do I lock down the endpoint so that Mailgun is the only entity that can post here? Is there a list of IPs that I can whitelist? Is there a special key that they send that I can validate against the private API key?
I found my own answer in the documentation. I should have read the documentation more closely.
The "Securing Webhooks" section under https://documentation.mailgun.com/user_manual.html#webhooks says:
To ensure the authenticity of event requests, Mailgun signs them and posts the signature along with other webhook parameters.
I had to compare the signature value in the payload to a SHA256 HMAC hash of timestamp and token using the api key as the HMAC key.
For example:
$_POST['signature'] === hash_hmac('sha256', $_POST['timestamp'] . $_POST['token'], 'example-api-key);
Related
I would need to get, passing the Transaction ID, the from/to address, the value of token transferred, and the type of token passed?
I've found so far the API from Tron Grid, i have already tried the
https://api.trongrid.io/v1/transactions/TRANSACTION_ID/events'
THis call returns the two wallet addresses, and the amount (uint256), but not the type of token passed.
Is there any way?
I also found the tronweb package, but i can't find any documentation about it.
Thank you!
You can keep map of contract addresses and token types. I'm not sure this is relevant to you.
Trongrid API has two POST endpoints for getting details by transaction id (hash).
https://api.trongrid.io/wallet/gettransactioninfobyid
https://api.trongrid.io/wallet/gettransactionbyid
the body is the same for both requests - should contains the transaction hash:
{"value": "440140edbd1e9be5a0a78605018d5803b2388e080227337b435a826b127cd5d8"}
To get the token type for transfer you can use first endpoint - trc20 transfers are in the response.log array and contain 'address' field - the hex address of contract of the token. Then you can get token info by this contract address.
You need API key to use this API. See docs for more details:
https://developers.tron.network/v3.7/reference/transaction-info-by-id
https://developers.tron.network/v3.7/reference/walletgettransactionbyid
I've multiple stripe account on my site, and each stripe account is associated with a webhook.
My webhook is returning 403 Error "No signatures found matching the expected signature for payload"
i've checked the Cashier middleware and its getting the webhook secret key from the env file.
Since this project attached to multiple stripe account, we can't store the webhook secret in env file. so, we're placing the webhook secret key of each stripe account in a table.
I would like to get the secret key from database instead of this config file.
Is it possible to listen to multiple stripe account's webhook?
Any help will be appreciated.
I am not sure if this is a good approach but you can:
Send meta data in the checkout which gets posted to the web hook
Get the raw json posted by the web hook before you use the web hook key to validate that the post was from Stripe. Stripe.Net contains a parse method and a construct method. Parse does not require the key. Construct uses the key to validate the post was from Stripe.
So with Stripe.net:
string endpointSecret;
// get the json posted
var json = await new
StreamReader(HttpContext.Request.Body).ReadToEndAsync();
// convert the json into a stripe event object
var objStripeEvent = EventUtility.ParseEvent(json);
if (objStripeEvent.Type == Events.CheckoutSessionCompleted)
{
// get the session object and see if it contains the Meta data we passed
// in at checkout
var session = objStripeEvent.Data.Object as Session;
var met = session.Metadata;
if (met.ContainsKey("FranchiseGuid"))
{
// if the meta data contains the franchise guid get the correct
// wh secret from the DB
var FranchiseGuid= new Guid(met["FranchiseGuid"]);
endpointSecret = _repo.GetWebHookSecret(FranchiseGuid);
}
}
// Then you can go on to use the Construct method to validate the post with the correct key for the Stripe account where the web hook is based.
try
{
// check if was from Stripe
var stripeEvent = EventUtility.ConstructEvent(
json,
Request.Headers["Stripe-Signature"],
endpointSecret);
---- etc
I've requested help on this from Stripe support but they have promised to get back to me. I'll test out the above to see if it works. I don't think it's ideal though because if a hacker were able to get a valid franchise guid they could possibly fake posts and spam the endpoint. It would not be easy to guess a guid and these id's are not available in any way publicly. Plus https is used. But it still makes me nervous because the franchise guid would be one of a dozen or more. Not like a booking guid which is generated and sent once for the booking that is marked as paid. The franchise guid would be sent every time a payment was made for that franchise.
I think what I may do is use the booking guid since this is randomly generated for every booking. I can join to the franchise table from the booking and get the web hook secret.
We'll see if Stripe come back with something useful.
We generated JWT using docusign given private key and validated by Docusign public key in jwt.io site. It generated valid signature.
Using same signature we called Docusign demo server for access token
POST https://account-d.docusign.com/oauth/token
with
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=Signature generated
but getting error "Invalid Grant".
What could be the possible reason? If signature is already verified in jwt.io with public key, Docusign should accept the assertion value.
As documented, you also need to supply the following claims:
iss--The integration key (also known as client ID) of the application.
sub--The user ID of the user to be impersonated.
iat--The DateTime when the JWT was issued, in Unix epoch format.
exp--The DateTime when the JWT assertion will expire, in Unix epoch format. Use 1 hour after iat or less.
aud--domain name of the authentication service instance to be used. For demo environments, use account-d.docusign.com For production environments, use account.docusign.com. Note: Do not include https:// in the aud value!
scope--The scopes being requested. For the JWT bearer grant, the requested scope should be signature.
See the docs and also see the DocuSign JWT code examples, the repos named eg-01-*
Ask a new question if you'd like further help.
I'm following this guide, but at the user activation step after successful email verification, the jwt token was not appended as shown here, but I got some other metadata instead:
http://localhost:3000/onboarding?supportSignUp=true&supportForgotPassword=true&email=mail%40test.com&message=Your%20email%20was%20verified.%20You%20can%20continue%20using%20the%20application.&success=true#
I'm using express and the auth0 nodejs api.
You need to add the generated JWT yourself in the result_url.
This code uses API v2 to create a new email verification ticket. It is specifying the result_url argument as the local /Account/Activation action handler. And it is putting the generated JWT token as part of the query string.
After the user verifies his o her email address (in Auth0), he will be redirected to the result_url endpoint, with the token in the query string (/Account/Activation?userToken=xxxx in the sample). This piece of code handles that endpoint, verifying the token received and showing a view that allows the user to enter his password and POST the final activation (handled here).
I am not sure where/how to set up a webhook in servicem8. I want to trigger an update when a Job status changes from Quote to Work Order.
I have read the documentation, but am not clear on the process.
Webhooks in ServiceM8 are only supported when using OAuth authentication using an access token, so you will need to register for a free developer account to get your OAuth Client Id and Secret. If you have not yet done so, follow the steps listed here:
http://developer.servicem8.com/docs/the-basics/public-applications/
Once you have OAuth authentication working, Subscribe to the 'Job' webhook to receive notifications when job data has changed. Do this by POSTing to https://api.servicem8.com/webhook_subscriptions
As mentioned on http://developer.servicem8.com/docs/platform-services/webhooks/ , the subscribe request should include:
object='job'
fields='status'
callback_url - Set this to the URL you wish to receive notifications
Once you subscribe to the webhook, you will immediately receive a request at your callback url to challenge you own this url. The request will contain URL parameters mode=subscribe, and a challenge value. To successfully confirm the challenge request you need to return a 200 result, with the body of the response set to the challenge code.
If you successfully confirm the challenge code request, you will start receiving notifications at your callback_url for any changes to job data within your ServiceM8 account. The notification you receive will contain JSON data similar to
{
"object": "job",
"entry": {
"changed_fields": ["status"],
"time": "2015-01-01 00:00:00",
"uuid": "de305d54-75b4-431b-adb2-eb6b9e546013"
},
"resource_url": "https://api.servicem8.com/api_1.0/job/de305d54-75b4-431b-adb2-eb6b9e546013.json"
}`