How to use Webhooks with OnVoard
You can add webhooks to subscribe to events from OnVoard. To secure your endpoint, you can provide with a secret value and we will add
X-Hub-Signature HTTP header to call webhook url.
This signature is generated with SHA1 using provided secret and request body. To validate request, compute expected signature on your end and compare it with
Below is a flask example on how to validate webhook request.
import hashlib import hmac import os from flask import Flask, request, abort @app.route('/webhooks/onvoard', methods=['POST']) def index(): key = os.environ['WEBHOOK_SECRET'] request_signature = request.headers.get('X-Hub-Signature') computed_signature = 'sha1=' + hmac.new( key, request.data, hashlib.sha1).hexdigest() if not hmac.compare_digest(computed_signature, request_signature): abort(500)
==for verification to prevent timing attack.
== will stop comparing after the first character mismatch. This allows an attacker to brute force byte by byte your secret knowing that if they have a matching character, the comparison will take longer to finish execution.
hmac.compare_digest is a constant time comparison function and will always take the same amount of execution time.