Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add info for webhook signature validation #3022

Open
melissahenderson opened this issue Oct 8, 2024 · 1 comment · May be fixed by #3054
Open

docs: add info for webhook signature validation #3022

melissahenderson opened this issue Oct 8, 2024 · 1 comment · May be fixed by #3054
Assignees
Labels
user-doc-priority: medium User doc priority is medium user-docs

Comments

@melissahenderson
Copy link
Contributor

This was requested by Radu. He and Max may be good resources if there are questions.

If an ASE wants to use a signature, the SIGNATURE_SECRET environment variable is optional, so the ASE can opt in or opt out. We should point this out in the Admin API(s) and somewhere in the Webhook Events page, rather than making signatures its own page.

For the webhooks, Radu suggested something like this as well as code snippets.

  1. Go to https://docs.stripe.com/webhooks?lang=node&verify=verify-manually#verify-official-libraries
  2. Click the Verify Manually tab

The steps in the Stripe doc are:

  1. Extract the timestamp and signatures from the header (in our case the timestamp is in the Rafiki-Signature header)
  2. Prepare the signed_payload string (in our case, the payload string is the request body [the data Rafiki sends to the ASE])
  3. Determine the expected signature
  4. Compare the signatures
@github-project-automation github-project-automation bot moved this to Backlog in Rafiki Oct 8, 2024
@github-project-automation github-project-automation bot moved this to Backlog in Documentation Oct 8, 2024
@brad-dow brad-dow self-assigned this Oct 18, 2024
@brad-dow brad-dow linked a pull request Oct 30, 2024 that will close this issue
@brad-dow
Copy link
Contributor

Adding this content to the Webhook Events page before adding to any of the API pages. Adding @raducristianpopa and @mkurapov to the PR to verify this information first.

Need to learn more about how (or if) signatures are used across Rafiki for other services and if the logic is the same. Looks like Auth Admin API has its own signature variables as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
user-doc-priority: medium User doc priority is medium user-docs
Projects
Status: In Progress
Status: Backlog
Development

Successfully merging a pull request may close this issue.

2 participants