Working with Webhooks

A presentation at PHP UK Conference 2018 in February 2018 in London, UK by Lorna Jane Mitchell

Slide 1

Slide 1

Working with Webhooks Lorna Mitchell, IBM PHPUK, February 2018

Slide 2

Slide 2

What is a Webhook? An HTTP POST request. @lornajane

Slide 3

Slide 3

Webhooks in the Wild @lornajane

Slide 4

Slide 4

Slack Integrations @lornajane

Slide 5

Slide 5

GitHub Builds @lornajane

Slide 6

Slide 6

Fun with Zapier @lornajane

Slide 7

Slide 7

How APIs Work @lornajane

Slide 8

Slide 8

How APIs Work @lornajane

Slide 9

Slide 9

How APIs Work @lornajane

Slide 10

Slide 10

How Webhooks Work @lornajane

Slide 11

Slide 11

How Webhooks Work @lornajane

Slide 12

Slide 12

How Webhooks Work @lornajane

Slide 13

Slide 13

What About Time? @lornajane

Slide 14

Slide 14

APIs Over Time @lornajane

Slide 15

Slide 15

Webhooks Over Time @lornajane

Slide 16

Slide 16

Webhook Payloads: GitHub Push “ref”: “refs/heads/master”, “before”: “1ae6a404351cead52df24893621d82ba6ec84a1c”, “after”: “e8474d83985330fa36f8862b37ca84ada4313392”, “created”: false, “deleted”: false, “forced”: false, “compare”: “https://github.com/lornajane/demo/compare/1ae6a404351c…e847 “commits”: [ … ], “repository”: { … }, “pusher”: { … }, “sender”: { … } @lornajane

Slide 17

Slide 17

Webhook Payloads Consider the use cases: • try to include all information for common outcomes • consider impact of payload size vs potentially many followup API calls • keep data formats simple @lornajane

Slide 18

Slide 18

Webhook Security When working with webhooks: • be aware of attack vectors • always use SSL • consider shared secrets for HMAC • all good HTTP security practices apply @lornajane

Slide 19

Slide 19

Slide 20

Slide 20

Publishing Webhooks @lornajane

Slide 21

Slide 21

Publishing Webhooks Offering webhook integrations is ideal if: • you have clients polling your API a lot • it’s common for another system to react to changes in your system • you want to offer notifications for specific events @lornajane

Slide 22

Slide 22

Example App: Retro Guestbook In the olden days, we had guestbooks on our websites. My example app is a guestbook that: • allows a user to leave their name and a comment • shows the comments left so far • supports webhook notification of new comments by allowing endpoints to be registered @lornajane

Slide 23

Slide 23

Example App: Retro Guestbook @lornajane

Slide 24

Slide 24

Saving Data: Basic Process @lornajane

Slide 25

Slide 25

Saving Data: Handling Webhooks @lornajane

Slide 26

Slide 26

Saving Data: Handling Webhooks @lornajane

Slide 27

Slide 27

Saving Data: Handling Webhooks @lornajane

Slide 28

Slide 28

Saving Data: Handling Webhooks 1 2 3 4 5 6 7 8 9 10 11 $comment[‘name’] = filter_var($data[‘name’], FILTER_SANITIZE_STRIN $comment[‘comment’] = filter_var($data[‘comment’], FILTER_SANITIZE $comment[‘time’] = time(); // write comment to CouchDB… // get the list of webhooks to notify from CouchDB… // write comments and webhooks to queue $channel = $this->rabbitmq_handle->channel(); $msg = new \PhpAmqpLib\Message\AMQPMessage( json_encode([“comment” => $comment, “webhooks” => $webhooks]), $channel->basic_publish($msg, ”, ‘comments’); @lornajane

Slide 29

Slide 29

Saving Data: Handling Webhooks @lornajane

Slide 30

Slide 30

Saving Data: Handling Webhooks @lornajane

Slide 31

Slide 31

Saving Data: Handling Webhooks @lornajane

Slide 32

Slide 32

Example: Publishing Webhooks (includes excellent endpoint testing tool: http://requestb.in) @lornajane

Slide 33

Slide 33

Slide 34

Slide 34

Receiving Webhooks @lornajane

Slide 35

Slide 35

Receiving Webhooks It’s just a POST request! Advice: • DO: accept, store and acknowledge quickly • DON’T: validate or process before acknowledging @lornajane

Slide 36

Slide 36

Serverless Webhook Endpoints Serverless technology: • Functions as a Service • Scalable: ideal for bursty workloads • Pay-as-you-go, and with free tiers • PHP supported on some platforms (they all support NodeJS) @lornajane

Slide 37

Slide 37

Serverless PHP Webhook Catcher 1 function main(array $params) : array { 2 $db_url = $params[‘cloudantURL’]; 3 $incoming_body = base64_decode($params[‘__ow_body’]); 4 $data = json_decode($incoming_body, true); 5 6 echo “Saving data …\n”; 7 $server = new \PHPCouchDB\Server([“url” => $db_url]); 8 $db = $server->useDb([“name” => “incoming”]); 9 $meta = [“received” => time(), “status” => “new”]; 10 $db->create([“data” => $data, “meta” => $meta]); 11 return [“body” => “Thanks :)”]; @lornajane

Slide 38

Slide 38

Example: Receiving a Webhook @lornajane

Slide 39

Slide 39

Ngrok for Testing Webhooks https://ngrok.com/ - secure tunnel to your dev platform Use this tool to: • webhook into code running locally • inspect the request and response of the webhook • replay requests and see the responses @lornajane

Slide 40

Slide 40

Webhooks … are awesome :) @lornajane

Slide 41

Slide 41

Webhooks in Your Applications • Use them WHEN you want to notify other systems • Examples of HOW to use webhooks hopefully gave you some ideas • Webhooks are HTTP: we already understand this @lornajane

Slide 42

Slide 42

Thanks! • Feedback please! https://joind.in/ • IBM Cloud: https://www.ibm.com/cloud/ • Requestbin: http://requestb.in • Ngrok: https://ngrok.com/ • PHP Web Services from O’Reilly • Example app: https://github.com/ibm-watson-data-lab/guestbook • PHP/CouchDB: https://github.com/ibm-watson-data-lab/php-couchdb @lornajane