Secure a webhook from unauthorized requests?

235 Views Asked by At

I wanted to make a webhook in order to change the status of a document in my collection. This will trigger other events.

Router.route('/mandrill/invitation_sent', { where: 'server' })
  .post(function () {
    var response = EJSON.parse(this.request.body.mandrill_events);
    Players.update({
      "email": {
        "$in": _.map(_.where(response, {
          event: 'send'
        }), function (obj) {
          return obj.msg.email;
        })
      }
    }, {
      "feed": {
        "$push": {
          title: "Player invited",
          icon: "ios-player-invited"
        }
      }
    })
  });
});

However... can't I just post directly to this webhook manually?

>>> import requests
>>> webhook_url = '<url>.com/mandrill/invitation_sent'
>>> payload = { 'mandrill_events': [{ 'event': 'send', 'msg': { 'email': '[email protected]'}}]}
>>> requests.post(webhook_url, data=payload)
<Response [200]>

How do I know the request is coming from a trusted source? Is there some canonical way to make sure that a webhook is receiving data from a trusted source?

1

There are 1 best solutions below

0
On

Mandrill webhooks do authenticate their requests sent to you. Check out their documentation.