Working with Webhooks - Speaker Deck

Tweet

Tweet

Slide 1

Slide 1 text

Working with Webhooks Lorna Mitchell, IBM PHPUK, February 2018

Slide 2

Slide 2 text

What is a Webhook? An HTTP POST request. @lornajane

Slide 3

Slide 3 text

Webhooks in the Wild @lornajane

Slide 4

Slide 4 text

Slack Integrations @lornajane

Slide 5

Slide 5 text

GitHub Builds @lornajane

Slide 6

Slide 6 text

Fun with Zapier @lornajane

Slide 7

Slide 7 text

How APIs Work @lornajane

Slide 8

Slide 8 text

How APIs Work @lornajane

Slide 9

Slide 9 text

How APIs Work @lornajane

Slide 10

Slide 10 text

How Webhooks Work @lornajane

Slide 11

Slide 11 text

How Webhooks Work @lornajane

Slide 12

Slide 12 text

How Webhooks Work @lornajane

Slide 13

Slide 13 text

What About Time? @lornajane

Slide 14

Slide 14 text

APIs Over Time @lornajane

Slide 15

Slide 15 text

Webhooks Over Time @lornajane

Slide 16

Slide 16 text

Webhook Payloads: GitHub Push "ref": "refs/heads/master", "before": "1ae6a404351cead52df24893621d82ba6ec84a1c", "after": "e8474d83985330fa36f8862b37ca84ada4313392", "created": false, "deleted": false, "forced": false, "compare": "https://github.com/lornajane/demo/compare/1ae6a404351c...e847 "commits": [ ... ], "repository": { ... }, "pusher": { ... }, "sender": { ... } @lornajane

Slide 17

Slide 17 text

Webhook Payloads Consider the use cases: • try to include all information for common outcomes • consider impact of payload size vs potentially many followup API calls • keep data formats simple @lornajane

Slide 18

Slide 18 text

Webhook Security When working with webhooks: • be aware of attack vectors • always use SSL • consider shared secrets for HMAC • all good HTTP security practices apply @lornajane

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Publishing Webhooks @lornajane

Slide 21

Slide 21 text

Publishing Webhooks Offering webhook integrations is ideal if: • you have clients polling your API a lot • it's common for another system to react to changes in your system • you want to offer notifications for specific events @lornajane

Slide 22

Slide 22 text

Example App: Retro Guestbook In the olden days, we had guestbooks on our websites. My example app is a guestbook that: • allows a user to leave their name and a comment • shows the comments left so far • supports webhook notification of new comments by allowing endpoints to be registered @lornajane

Slide 23

Slide 23 text

Example App: Retro Guestbook @lornajane

Slide 24

Slide 24 text

Saving Data: Basic Process @lornajane

Slide 25

Slide 25 text

Saving Data: Handling Webhooks @lornajane

Slide 26

Slide 26 text

Saving Data: Handling Webhooks @lornajane

Slide 27

Slide 27 text

Saving Data: Handling Webhooks @lornajane

Slide 28

Slide 28 text

Saving Data: Handling Webhooks 1 $comment['name'] = filter_var($data['name'], FILTER_SANITIZE_STRIN 2 $comment['comment'] = filter_var($data['comment'], FILTER_SANITIZE 3 $comment['time'] = time(); 4 // write comment to CouchDB... 5 // get the list of webhooks to notify from CouchDB... 6 7 // write comments and webhooks to queue 8 $channel = $this->rabbitmq_handle->channel(); 9 $msg = new \PhpAmqpLib\Message\AMQPMessage( 10 json_encode(["comment" => $comment, "webhooks" => $webhooks]), 11 $channel->basic_publish($msg, '', 'comments'); @lornajane

Slide 29

Slide 29 text

Saving Data: Handling Webhooks @lornajane

Slide 30

Slide 30 text

Saving Data: Handling Webhooks @lornajane

Slide 31

Slide 31 text

Saving Data: Handling Webhooks @lornajane

Slide 32

Slide 32 text

Example: Publishing Webhooks (includes excellent endpoint testing tool: http://requestb.in) @lornajane

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Receiving Webhooks @lornajane

Slide 35

Slide 35 text

Receiving Webhooks It's just a POST request! Advice: • DO: accept, store and acknowledge quickly • DON'T: validate or process before acknowledging @lornajane

Slide 36

Slide 36 text

Serverless Webhook Endpoints Serverless technology: • Functions as a Service • Scalable: ideal for bursty workloads • Pay-as-you-go, and with free tiers • PHP supported on some platforms (they all support NodeJS) @lornajane

Slide 37

Slide 37 text

Serverless PHP Webhook Catcher 1 function main(array $params) : array { 2 $db_url = $params['cloudantURL']; 3 $incoming_body = base64_decode($params['__ow_body']); 4 $data = json_decode($incoming_body, true); 5 6 echo "Saving data ...\n"; 7 $server = new \PHPCouchDB\Server(["url" => $db_url]); 8 $db = $server->useDb(["name" => "incoming"]); 9 $meta = ["received" => time(), "status" => "new"]; 10 $db->create(["data" => $data, "meta" => $meta]); 11 return ["body" => "Thanks :)"]; @lornajane

Slide 38

Slide 38 text

Example: Receiving a Webhook @lornajane

Slide 39

Slide 39 text

Ngrok for Testing Webhooks https://ngrok.com/ - secure tunnel to your dev platform Use this tool to: • webhook into code running locally • inspect the request and response of the webhook • replay requests and see the responses @lornajane

Slide 40

Slide 40 text

Webhooks ... are awesome :) @lornajane

Slide 41

Slide 41 text

Webhooks in Your Applications • Use them WHEN you want to notify other systems • Examples of HOW to use webhooks hopefully gave you some ideas • Webhooks are HTTP: we already understand this @lornajane

Slide 42

Slide 42 text

Thanks! • Feedback please! https://joind.in/ • IBM Cloud: https://www.ibm.com/cloud/ • Requestbin: http://requestb.in • Ngrok: https://ngrok.com/ • PHP Web Services from O'Reilly • Example app: https://github.com/ibm-watson-data-lab/guestbook • PHP/CouchDB: https://github.com/ibm-watson-data-lab/php-couchdb @lornajane