Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

1.5.0
Compare
Choose a tag to compare
@anneFly anneFly released this 15 May 08:27
· 2 commits to master since this release
1.5.0
f4c1c07
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Add utilities to verify signed webhooks.

  • You can use closio.contrib.django.utils.webhook_signature_valid to verify webhook requests that you receive.
    When a webhook subscription is created via the Closeio API you get a secret signature key in the response of the request. This is the key that Closeio uses to sign their webhooks. You can use the key to verify that the request is indeed coming from Closeio (only Closeio should have the signature key) and that the payload was not altered inbetween. This is a simple security mechanism to protect you from false requests to your endpoints that receive the webhooks. The signature key for each webhook subscription needs to be stored inside the setting CLOSEIO_WEBHOOK_SIGNATURE_KEYS as json string containing the webhook subscription ID as key and the signature key as value, e.g.: 
    CLOSEIO_WEBHOOK_SIGNATURE_KEYS = '{"whsub_1": "123", "whsub_2": "456"}'
    More information can be found in the Closeio's documentation.
  • You can use the pytest fixture sign_closeio_webhook_request to sign your requests for testing purposes. Usage example: 
    data = {'some key': 'some value'}
data, headers = _sign_request(data)
client.post('/my/url/', data, **headers)
Assets 2
Loading