Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crafting a Great Webhooks Experience

John Sheehan
August 21, 2014
Technology
0
150

Crafting a Great Webhooks Experience

Presented at API Craft SF on 8/21/14

John Sheehan

August 21, 2014
Tweet

More Decks by John Sheehan

See All by John Sheehan
My Favorite API Tools (Other than Runscope)
johnsheehan
0
120
Crafting a Great Webhooks Experience
johnsheehan
2
460
Glue 2015: Microservices - More than just a buzzword.
johnsheehan
2
410
Scale-Oriented Architecture with Microservices
johnsheehan
2
310
The rise of distributed applications.
johnsheehan
2
380
Zen and the Art of API Maintenance
johnsheehan
2
2.1k
Building API integrations you can live with.
johnsheehan
0
68
Free API debugging and testing tools you should know about.
johnsheehan
5
800
Modern Tools for Modern Applications
johnsheehan
1
160

Other Decks in Technology

See All in Technology
GO TechTalk #19 タクシーアプリ『GO』事業成長を支えるデータ分析基盤の継続的改善!
mot_techtalk
2
530
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
970
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.5k
データマイニングと機械学習-SVM
trycycle
0
150
IoTの振り返りと、IoTが産み出すデータ形式のおさらい【IoT-Tech Meetup】
soracom
PRO
0
760
Impressions of the Ruby Kaigi
suzukahr
1
5.3k
フルComposeでTVアプリを作った話
sasakitomohiro
0
280
CyberAgent AI事業本部MLOps研修基礎編
hosimesi11
3
490
async-profilerによるスタックトレースタイムトラベル - Kafkaのパフォーマンス問題調査での応用例
line_developers
PRO
0
110
GLOBIS データサイエンスチームのご紹介/ GLOBIS Data Science Team is hiring.
globis_gdp
0
1.9k
ジェネレーティブAIとの共創
yuyakakizaki08
1
440
javapを使ってクラスファイルを読んでみよう!
yujisoftware
1
160

Featured

See All Featured
A designer walks into a library…
pauljervisheath
199
17k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.7k
Facilitating Awesome Meetings
lara
35
4.8k
A better future with KSS
kneath
230
16k
Fireside Chat
paigeccino
18
2.1k
Why Our Code Smells
bkeepers
PRO
327
55k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Mobile First: as difficult as doing things right
swwweet
213
8k
Design by the Numbers
sachag
272
18k
[RailsConf 2023] Rails as a piece of cake
palkan
7
1.5k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k

Transcript

  1. Crafting a Great
    Webhooks Experience
    John Sheehan
    CEO, @Runscope
    Tuesday, October 7, 14

    View Slide

  2. Tuesday, October 7, 14

    View Slide

  3. Tuesday, October 7, 14

    View Slide

  4. Tuesday, October 7, 14

    View Slide

  5. Tuesday, October 7, 14

    View Slide

  6. Tuesday, October 7, 14

    View Slide

  7. "user defined
    callbacks made
    with HTTP POST"
    Tuesday, October 7, 14

    View Slide

  8. "Webhooks are the
    easiest way to remotely
    execute code."
    -- Jeff Lindsay once
    when we were talking
    Tuesday, October 7, 14

    View Slide

  9. HTTP Push
    Notifications
    Tuesday, October 7, 14

    View Slide

  10. A Reverse API
    Tuesday, October 7, 14

    View Slide

  11. Provider makes request to
    URL when an event happens.
    Consumer sets up a server to
    listen for callbacks.
    Consumer registers callback
    URL with provider.
    Tuesday, October 7, 14

    View Slide

  12. Provider makes request to
    URL when an event happens.
    Consumer sets up a server to
    listen for callbacks.
    Consumer registers callback
    URL with provider.
    Tuesday, October 7, 14

    View Slide

  13. Provider makes request to
    URL when an event happens.
    Consumer sets up a server to
    listen for callbacks.
    Consumer registers callback
    URL with provider.
    Tuesday, October 7, 14

    View Slide

  14. Tuesday, October 7, 14

    View Slide

  15. Implementing
    Webhooks
    Tuesday, October 7, 14

    View Slide

  16. url = get_callback_url()
    data = get_webhook_payload_json()
    try:
    resp = requests.post(url, data=data)
    if not resp.ok:
    _logger.error(resp.content)
    except Exception as e:
    _logger.error(e)
    Tuesday, October 7, 14

    View Slide

  17. Problem #1:
    Error Handling
    Tuesday, October 7, 14

    View Slide

  18. > POST /callback
    < 400 Bad Request
    Tuesday, October 7, 14

    View Slide

  19. > POST /callback
    < 302 Found
    < Location: http://
    Tuesday, October 7, 14

    View Slide

  20. > POST /callback
    < 200 OK
    < Content-Type: text/plain
    <
    Tuesday, October 7, 14

    View Slide

  21. Error Handling
    Suggestions
    Tuesday, October 7, 14

    View Slide

  22. Be lenient in what you accept
    back if you can reasonably guess.
    Retry failed callbacks with
    exponential back off.
    Decide if redirects are to be
    followed or not.
    Tuesday, October 7, 14

    View Slide

  23. Be lenient in what you accept
    back if you can reasonably guess.
    Retry failed callbacks with
    exponential back off.
    Decide if redirects are to be
    followed or not.
    Tuesday, October 7, 14

    View Slide

  24. Be lenient in what you accept
    back if you can reasonably guess.
    Retry failed callbacks with
    exponential back off.
    Decide if redirects are to be
    followed or not.
    Tuesday, October 7, 14

    View Slide

  25. Problem #2:
    Flooding
    Tuesday, October 7, 14

    View Slide

  26. Tuesday, October 7, 14

    View Slide

  27. Active
    Queues


    Tuesday, October 7, 14

    View Slide

  28. Problem #3:
    Security
    Tuesday, October 7, 14

    View Slide

  29. > POST http://localhost:3000
    Tuesday, October 7, 14

    View Slide

  30. > POST http://foo.lvh.me
    Tuesday, October 7, 14

    View Slide

  31. DoS Attack Vector
    Tuesday, October 7, 14

    View Slide

  32. Proving the Source
    Tuesday, October 7, 14

    View Slide

  33. Validation
    Techniques
    Tuesday, October 7, 14

    View Slide

  34. Key Sharing
    Tuesday, October 7, 14

    View Slide

  35. Request
    Signing
    Tuesday, October 7, 14

    View Slide

  36. Re-fetch
    > POST /callback
    > { id: 123 }
    > GET /users/123
    < { id: 123 }
    Webhook Callback
    App Code
    Tuesday, October 7, 14

    View Slide

  37. Security
    Suggestions
    Tuesday, October 7, 14

    View Slide

  38. Validate your requests.
    Document it well!
    Resolve IPs before making
    request. Consider proxying.
    Consider subscription validation
    for high-volume cases.
    Tuesday, October 7, 14

    View Slide

  39. Validate your requests.
    Document it well!
    Resolve IPs before making
    request. Consider proxying.
    Consider subscription validation
    for high-volume cases.
    Tuesday, October 7, 14

    View Slide

  40. Validate your requests.
    Document it well!
    Resolve IPs before making
    request. Consider proxying.
    Consider subscription validation
    for high-volume cases.
    Tuesday, October 7, 14

    View Slide

  41. Developer
    Experience
    Tuesday, October 7, 14

    View Slide

  42. Payload Design
    Tuesday, October 7, 14

    View Slide

  43. Fat vs.Thin
    Tuesday, October 7, 14

    View Slide

  44. - or -
    { }
    payload=
    Tuesday, October 7, 14

    View Slide

  45. - or -
    data = JSON.loads(request.body)
    name = data["name"]
    name = request.form.get("name")
    Tuesday, October 7, 14

    View Slide

  46. payload = request.form.get("payload")
    data = JSON.loads(payload)
    name = data["name"]
    Tuesday, October 7, 14

    View Slide

  47. Mirror API
    Resources
    Tuesday, October 7, 14

    View Slide

  48. Complete
    Documentation!
    Tuesday, October 7, 14

    View Slide

  49. Tooling
    Tuesday, October 7, 14

    View Slide

  50. Accept Multiple
    Callback URLs
    Tuesday, October 7, 14

    View Slide

  51. Hooks API
    Tuesday, October 7, 14

    View Slide

  52. Debugger &
    Logs
    Tuesday, October 7, 14

    View Slide

  53. Manual
    Retries
    Tuesday, October 7, 14

    View Slide

  54. Generate
    Test Callbacks
    Tuesday, October 7, 14

    View Slide

  55. Tunneling
    Tuesday, October 7, 14

    View Slide

  56. Thank you!
    Questions?
    Try Runscope free:
    runscope.com
    Tuesday, October 7, 14

    View Slide