Secure Webhook endpoint

correa · March 31, 2022, 2:02pm

hi snipcart people.

i need support with securing the webhook endpoint for a custom shipping integration. see this discussion for further context of the task.

based on snipcart’s info here, i would like to secure the communication with sendcloud’s api and need support to implement the necessary steps.

sendcloud offers this information regarding their api/webhooks and this regarding payload, validation.

can you help connecting the dots to implement this “handshake” between snipcart’s webhook and sendcloud?

thank you!

nelitow · April 1, 2022, 8:30pm

Hi @correa

Sorry if I missed some information. What exactly do you mean by secure the communication?
Are you using any backend service?

Thanks.

correa · April 4, 2022, 1:35pm

hi @nelitow thanks for getting back to me.
i am having trouble with securing my webhook endpoint.
i can’t get the validation to work. need some hints how to get this to work.

in terminal/postman i am trying this:
curl -v -u '{API-SECRET-KEY}:' https://app.snipcart.com/api/requestvalidation/{token}
which results in a 400 bad request

in php i am trying this:

  $headers = apache_request_headers();
  $tToken = $headers['X-Snipcart-Requesttoken'];
  $url = 'https://app.snipcart.com/api/requestvalidation/'.$tToken;
  $auth = base64_encode($tKey . ':' . '');
  $context = stream_context_create([
      "http" => [
          "header" => "Authorization: Basic $auth"
      ]
  ]);
  $contents = file_get_contents($url, false, $context );

which also results in “400 bad request”

nelitow · April 4, 2022, 5:59pm

Hi @correa

I was not able to get your code to work. From my understanding the file_get_contents needs some server setup to GET HTTPS resources. You also probably need the Accept: application/json header.

Still, I got it working with a code based on yours, but using cURL instead. Here it is:

$tKey = '---';
$headers = apache_request_headers();
$tToken = $headers['X-Snipcart-Requesttoken'];
$url = 'https://app.snipcart.com/api/requestvalidation/' . $tToken;
$auth = base64_encode($tKey . ':');

$curl = curl_init();

curl_setopt_array($curl, array(
    CURLOPT_URL => $url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => '',
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 0,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => 'GET',
    CURLOPT_HTTPHEADER => array(
        'Accept: application/json',
        'Authorization: Basic ' . $auth
    ),
));

$response = curl_exec($curl);

$status_code = curl_getinfo($curl, CURLINFO_HTTP_CODE);

echo $status_code;
if ($status_code == 200) {
    echo 'OK';
} else {
    echo 'FAIL';
}

// close cURL resource
curl_close($curl);

I hope this helps.

Thanks.

correa · April 4, 2022, 6:09pm

@nelitow thank you, i will check and get back to you.

correa · April 6, 2022, 11:37am

@nelitow thanks for your support. based on your hints, i was able to implement the handshake.