How to use Webhooks with OnVoard

You can add webhooks to subscribe to events from OnVoard. To secure your endpoint, you can provide with a secret value and we will add  X-Hub-Signature  HTTP header to call webhook url. 

This signature is generated with SHA1 using provided secret and request body. To validate request, compute expected signature on your end and compare it with  X-Hub-Signature .

Below is a flask example on how to validate webhook request.

import hashlib
import hmac
import os
from flask import Flask, request, abort

@app.route('/webhooks/onvoard', methods=['POST'])
def index():
    key = os.environ['WEBHOOK_SECRET']
    request_signature = request.headers.get('X-Hub-Signature')
    computed_signature = 'sha1=' + hmac.new(
        key, request.data, hashlib.sha1).hexdigest()

    if not hmac.compare_digest(computed_signature, request_signature):
        abort(500)

Note

Use constant time string comparison function like Python's  hmac.compare_digest instead of  ==  for verification to prevent timing attack. 

Why? == will stop comparing after the first character mismatch. This allows an attacker to brute force byte by byte your secret knowing that if they have a matching character, the comparison will take longer to finish execution. hmac.compare_digest  is a constant time comparison function and will always take the same amount of execution time.