Problem with the HMAC signature and response code

[mermetbt]

Hello,

I'm trying to test the webhook with Xero and they state in their documentation that:

If the payload is hashed using HMACSHA256 with your webhook signing key and base64 encoded, it should match the signature in the header. This is a correctly signed payload. If the signature does not match the hashed payload it is an incorrectly signed payload.

I've configured the webhook following their instruction

I can see in the log that the error message is "Invalid Signature - Hash does not match"

Also, I've seen in their doc that:

To gain Intent to receive validation, the receiving url must respond with a 2xx status for all correctly signed payloads and status: 401 Unauthorized for all incorrectly signed payloads.

And the response sent in the log is 400 Bad Request, which is different from an unauthorized request. I would expect an authentication failure to return a 401.

How could I configure this? Is there an easy way to see what the webhook received and failed to process? like a deadletter queue or something we could use to investigate or detect issues on the upstream?

[jirevwe]

Hi @mermetbt

if I understand you correctly:

1. You specifically require a mismatched signature error to return a 401 code. For this, we would need to modify the API. It might take a while since the change will go out in the next release.
2. If the event's signature did not match, it means Convoy did not ingest it and it wasn't written to the internal queue. We don't log request/response bodies even on the OSS version because of security so looking at the logs won't bear any fruit on that front. We do however expose a UI that can be used to inspect the queues and you can view them by visiting http(s)://your-host/queues/monitoring/ The trailing slash is required.

[mermetbt]

1. As there might be different implementation of the authentication protocol, I would suggest a way to configure this as an advance part of the the authentication configuration. I understand it could take a while to implement this, I'm not expecting this to be released ASAP.
2. What I mean is that for all events that doesn't pass (invalid signature, bad request, ...), you should probably have a deadletter queue where they are sent for debugging. Then you can provide a display for theses types of events.
   For example, here what it look like in the developer section of Stripe:

I just put that as a suggestions for improvements.

[jirevwe]

Hmm, that makes sense. Thanks for the suggestion.