Bug #28375: Webhook request body signature missing from webhook events

Updated by Naglis Jonaitis about 7 years ago

I am trying to integrate the new webhook functionality into a [personal project](https://github.com/naglis/misc-addons/issues/12) (OpenProject -\> Odoo integration).

I would like to verify the integrity and authenticity of the webhook requests, but I do not seem to receive the webhook request body signature HTTP header when the signature secret field is set for the webhook. From reading the related [PR](https://github.com/opf/openproject-webhooks/pull/13/files#diff-b298071a91a2530a8a095eeff6c3fce1R48) it looks like the header should be called `HTTP_X_OP_SIGNATURE`.

I have tested it from a `openproject/community:7.4.7` Docker container.

## Steps to reproduce

1. Generate a webhook testing URL on https://webhook.site/
2. Create a webhook for all projects for work package update events. Point the payload URL to the unique webhook testing URL from step 1. Set the signature secret field to eg. “42”.
3. Update a work package (eg. change status).

## Actual behavior

1. A POST request with the webhook event is received at the webhook payload URL, but without the signature HTTP header (`HTTP_X_OP_SIGNATURE`).

## Expected behavior

1. A POST request with the webhook event is received at the webhook payload URL with the signature HTTP header (`HTTP_X_OP_SIGNATURE`).

## Screenshots

![](edit_webhook.png)
![](webhook_site.png)

Back

Side Menu

Content