Handling Webhooks with Laravel

A presentation at Laravel Live UK in June 2019 in London, UK by Lorna Jane Mitchell

Slide 1

Slide 1

Handling Webhooks with Laravel Lorna Mitchell, Nexmo

Slide 2

Slide 2

What is a Webhook? An HTTP POST request. @lornajane

Slide 3

Slide 3

Why Webhooks? Event-driven HTTP = Webhooks @lornajane

Slide 4

Slide 4

Webhooks in the Wild @lornajane

Slide 5

Slide 5

Slack Integrations @lornajane

Slide 6

Slide 6

GitHub Builds @lornajane

Slide 7

Slide 7

Webhook Use Cases • Notify of events • Deliver data when available • Broadcast to multiple receivers as-it-happens @lornajane

Slide 8

Slide 8

How APIs Work @lornajane

Slide 9

Slide 9

How APIs Work @lornajane

Slide 10

Slide 10

How APIs Work @lornajane

Slide 11

Slide 11

How APIs Work @lornajane

Slide 12

Slide 12

How Webhooks Work @lornajane

Slide 13

Slide 13

How Webhooks Work @lornajane

Slide 14

Slide 14

How Webhooks Work @lornajane

Slide 15

Slide 15

What About Time? @lornajane

Slide 16

Slide 16

APIs Over Time @lornajane

Slide 17

Slide 17

Webhooks Over Time @lornajane

Slide 18

Slide 18

Slide 19

Slide 19

Where To Webhook To? @lornajane

Slide 20

Slide 20

Webhooks Need Pre-arrangement With APIs, the client calls the server. With Webhooks, the client has to register with the server, to get data later. … may also agree security (e.g. shared secret) at this stage. @lornajane

Slide 21

Slide 21

Receiving Webhooks Warning: minor tangent ahead @lornajane

Slide 22

Slide 22

Ngrok for Testing Webhooks https://ngrok.com/ - secure tunnel to your dev platform Use this tool to: • webhook into code running locally • inspect the request and response of the webhook • replay requests and see the responses @lornajane

Slide 23

Slide 23

Ngrok for Testing Webhooks Start the tunnel on your laptop: receive a public URL @lornajane

Slide 24

Slide 24

Example: Nexmo SMS When you register a phone number and receive an SMS, your application receives a webhook. @lornajane

Slide 25

Slide 25

I’m running open endpoints on the internet and accepting data, now what? @lornajane

Slide 26

Slide 26

Webhook Security When working with webhooks: • be aware of attack vectors • always use SSL • consider shared secrets and hashing • all good HTTP security practices apply @lornajane

Slide 27

Slide 27

Shared Secrets Share a secret in advance, then transmit all the fields and a signature hash created using the secret. @lornajane

Slide 28

Slide 28

Nexmo SMS Security Nexmo can sign messages using a shared secret. The PHP library https://github.com/nexmo/nexmo-php can do this for you. $signature = new \Nexmo\Client\Signature($_GET, SIGNATURE_SECRET, ‘sha256’); $isValid = $signature->check($_GET[‘sig’]); @lornajane

Slide 29

Slide 29

Slide 30

Slide 30

Receiving Webhooks: Best Practice It’s just an HTTP request! Advice: • DO: accept, store and acknowledge quickly • DON’T: process before acknowledging @lornajane

Slide 31

Slide 31

Using Queues in PHP Applications Queues protect you against bursty traffic. Queues separate work from webservers. • This example uses https://beanstalkd.github.io/ and Laravel • Other good alternatives: Redis or Laravel Horizon, Amazon SQS, RabbitMQ @lornajane

Slide 32

Slide 32

Laravel and Beanstalkd 1 use App\Jobs\InboundSms; 2 Route::get(‘inbound-sms’, function(Request $request) { 3 // get incoming parameters (includes GET and POST) 4 $params = $request->input(); 5 $data = [“event” => “message”, “text” => $params[‘text’], 6 “receivedAt” => date(“U”), “payload” => $params]; 7 error_log(“New message: ” . $params[‘text’]); 8 9 InboundSms::dispatch($data); 10 return “OK”; 11 }); @lornajane

Slide 33

Slide 33

So The Data is In a Queue. Now What? @lornajane

Slide 34

Slide 34

Let’s talk about Workers Workers are long-running scripts that process a series of jobs. Workers need to be independent: • if things go wrong, exit • separate tool to monitor/restart as needed • beware long-running process hazards • everything processed “at least once” (but maybe more than once, and in any order…) @lornajane

Slide 35

Slide 35

Processing SMSes with Laravel 1 public function handle() 2 { 3 $params = $this->data; 4 $signature = new \Nexmo\Client\Signature($params[‘payload’], 5 config(‘nexmo.signature_secret’), ‘sha256’); 6 $isValid = $signature->check($params[‘payload’][‘sig’]); 7 8 if($isValid) { 9 error_log(“Message Verified: ” . $params[‘payload’][‘text’]); 10 } else { error_log(“Message Rejected”); } 11 } @lornajane

Slide 36

Slide 36

Slide 37

Slide 37

Webhooks … are awesome :) @lornajane

Slide 38

Slide 38

Webhooks in Your Applications • Use them WHEN you want to notify other systems • Examples of HOW to use webhooks hopefully gave you some ideas • Webhooks are HTTP: we already understand this @lornajane

Slide 39

Slide 39

Thanks! • PHP Web Services from O’Reilly • Nexmo: https://nexmo.com • Me: https://lornajane.net • Ngrok: https://ngrok.com/ • Nexmo for Laravel: https://github.com/Nexmo/nexmo-laravel • Code: https://github.com/lornajane/incoming-sms-laravel-beanstalkd @lornajane