Working with Webhooks

A presentation at FOSDEM in February 2019 in Brussels, Belgium by Lorna Jane Mitchell

Slide 1

Slide 1

Working with Webhooks Lorna Mitchell, Nexmo

Slide 2

Slide 2

What is a Webhook? An HTTP POST request. @lornajane

Slide 3

Slide 3

Why Webhooks? Event-driven HTTP = Webhooks @lornajane

Slide 4

Slide 4

Webhooks in the Wild @lornajane

Slide 5

Slide 5

Slack Integrations @lornajane

Slide 6

Slide 6

GitHub Builds @lornajane

Slide 7

Slide 7

Webhook Use Cases • Notify of events • Deliver data when available • Broadcast to multiple receivers as-it-happens @lornajane

Slide 8

Slide 8

How APIs Work @lornajane

Slide 9

Slide 9

How APIs Work @lornajane

Slide 10

Slide 10

How APIs Work @lornajane

Slide 11

Slide 11

How APIs Work @lornajane

Slide 12

Slide 12

How Webhooks Work @lornajane

Slide 13

Slide 13

How Webhooks Work @lornajane

Slide 14

Slide 14

How Webhooks Work @lornajane

Slide 15

Slide 15

What About Time? @lornajane

Slide 16

Slide 16

APIs Over Time @lornajane

Slide 17

Slide 17

Webhooks Over Time @lornajane

Slide 18

Slide 18

Slide 19

Slide 19

Where To Webhook To? @lornajane

Slide 20

Slide 20

Webhooks Need Pre-arrangement With APIs, the client calls the server. With Webhooks, the client has to register with the server, to get data later. @lornajane

Slide 21

Slide 21

Receiving Webhooks Warning: minor tangent ahead @lornajane

Slide 22

Slide 22

Ngrok for Testing Webhooks https://ngrok.com/ - secure tunnel to your dev platform Use this tool to: • webhook into code running locally • inspect the request and response of the webhook • replay requests and see the responses @lornajane

Slide 23

Slide 23

Ngrok for Testing Webhooks Start the tunnel on your laptop: receive a public URL @lornajane

Slide 24

Slide 24

Example: Nexmo SMS When you register a phone number and receive an SMS, your application receives a webhook. @lornajane

Slide 25

Slide 25

I’m running open endpoints on the internet and accepting data, now what? @lornajane

Slide 26

Slide 26

Webhook Security When working with webhooks: • be aware of attack vectors • always use SSL • consider shared secrets and hashing • all good HTTP security practices apply @lornajane

Slide 27

Slide 27

Nexmo SMS Security Nexmo can sign messages using a shared secret. The PHP library https://github.com/nexmo/nexmo-php can do this for you. $signature = new \Nexmo\Client\Signature($_GET, SIGNATURE_SECRET, ‘sha256’); $isValid = $signature->check($_GET[‘sig’]); @lornajane

Slide 28

Slide 28

Webhooks … are awesome :) @lornajane

Slide 29

Slide 29

Webhooks in Your Applications • Use them WHEN you want to notify other systems • Examples of HOW to use webhooks hopefully gave you some ideas • Webhooks are HTTP: we already understand this @lornajane

Slide 30

Slide 30

Thanks! • Nexmo: https://nexmo.com (DM me for credit) • Me: https://lornajane.net and @lornajane • Ngrok: https://ngrok.com/ • PHP Web Services from O’Reilly @lornajane