Webhook Abuse Protection Handshake Issue

Kevin McIntyre
Kevin McIntyre
Third Anniversary Facilitator 1
in SKY Developer General Discussions

Trying to subscribe to a webhook but I am getting an error about the 'WebHook-Allowed-Origin' header not being correct.

Response:

'type': 'urn:blackbaud:webhook-url-handshake-missing-origin-header',
'title': 'One or more validation errors occurred.',
'status': 400,
'detail': "Received an unexpected 'WebHook-Allowed-Origin' header value from your webhook URL when performing the CloudEvent's Abuse Protection handshake. The header must equal 'eventgrid.azure.net'. Review our Webhook API documentation to learn more. https://developer.blackbaud.com/skyapi/apis/webhook"

Code:


def cloud_events_handshake():

if env_vars['other']['hook_secret'] == request.args.get('webhookKey'):
event = from_http(request.headers, request.get_data())
if event['WebHook-Request-Origin'] == 'eventgrid.azure.net':
#resp = make_response(200)
response = Response(status=200, mimetype="application/json")
response.headers['WebHook-Allowed-Origin'] = 'eventgrid.azure.net'
return response
else:
abort(403)

The header is already set to the correct value, is there something I'm missing here?

Comments

  • Chris Rodgers
    Chris Rodgers Blackbaud Employee
    Ninth Anniversary Kudos 2 Name Dropper Participant

    Hey Kevin,

    I don't have much experience with Python (or Flask?). From my quick experiment with it, requests weren't being processed by my `cloud_events_handshake` function unless I explicitly set the HTTP methods that were valid for my function.

    @app.route('/', methods = ['OPTIONS'])
    def cloud_events_handshake():

    Otherwise, I was just getting a successful response (200 status code) without my code having done anything with the request – no added header or response body.

    You can test your webhook's OPTIONS and POST handlers with the test requests described in our documentation. This will allow you to validate your endpoint prior to working with the Webhook API. This tutorial will also walk you through a C# implementation. We also have PHP and NodeJS samples here.

    Let me know if you run into other issues.

  • Kevin McIntyre
    Kevin McIntyre
    Third Anniversary Facilitator 1

    Chris,

    I was able to figure it out. Within Flask, I had two routes with the same url scheme, but figured that with one being set to accept only POST requests for web hooks and another with an OPTIONS request for the handshake, flask would route the request to each function dependent on the method used. This wasn't the case as flask apparently automatically includes the OPTIONS method in its routing so it kept defaulting to the POST route which wasn't setup to handle the abuse protection handshake.

  • Chris Rodgers
    Chris Rodgers Blackbaud Employee
    Ninth Anniversary Kudos 2 Name Dropper Participant

    Glad you got it figured out, Kevin! Thanks for updating the post too – might help someone else who runs into this. ?

Categories