You can add webhooks to subscribe to events from OnVoard. To add a new webhook, login to organization owner and go to webhooks page.
To secure your endpoint, you can provide with a secret value and we will add
X-Hub-Signature HTTP header to call webhook url.
This signature is generated with SHA1 using provided secret and request body. To validate request, compute expected signature on your end and compare it with
Below is a flask example on how to validate webhook request.
import hashlib import hmac import os from flask import Flask, request, abort @app.route('/webhooks/onvoard', methods=['POST']) def index(): key = os.environ['WEBHOOK_SECRET'] request_signature = request.headers.get('X-Hub-Signature') computed_signature = 'sha1=' + hmac.new( key, request.data, hashlib.sha1).hexdigest() if not hmac.compare_digest(computed_signature, request_signature): abort(500)
Use constant time string comparison function like Python's
hmac.compare_digest instead of
== for verification to prevent timing attack.
== will stop comparing after the first character mismatch. This allows an attacker to brute force byte by byte your secret knowing that if they have a matching character, the comparison will take longer to finish execution.
hmac.compare_digest is a constant time comparison function and will always take the same amount of execution time.