Tutorial Step 2 - Webhook Signature Validation

In the second step of the tutorial, the webhook from the first step is going to be enhanced to validate that the POST request actually comes from Adobe I/O. Adobe I/O Events has two validation methods. First, there is a field named recipient_client_id in the event body which can be used to validate that the event is intended for a particular webhook. Second, the event payload is digitally signed using a key pair generated by Adobe and the signature is provided in a request header. You can read more about these verification methods in the Adobe I/O Events documentation.

Checking the Client ID

Assuming that you populated the CLIENT_ID value in the .env file as directed in the tutorial introduction, this value could simply be compared with the recipient_client_id field in the event, for example by updating the POST handler do this check:

Copy
app.post('/webhook', (req, res) => {
  console.log(req.body)
  if (process.env.CLIENT_ID !== req.body.recipient_client_id) {
    console.warn(`Unexpected client id. Was expecting ${process.env.CLIENT_ID} and received ${req.body.recipient_client_id}`)
    res.status(400)
    res.end()
    return
  }
  res.set('Content-Type', 'text/plain')
  res.send('pong')
})
Copied to your clipboard
app.post('/webhook', (req, res) => {
  console.log(req.body)
  if (process.env.CLIENT_ID !== req.body.recipient_client_id) {
    console.warn(`Unexpected client id. Was expecting ${process.env.CLIENT_ID} and received ${req.body.recipient_client_id}`)
    res.status(400)
    res.end()
    return
  }
  res.set('Content-Type', 'text/plain')
  res.send('pong')
})

Checking the digital signatures is a bit more complex and outside the scope of this tutorial. Please refer to the Adobe I/O Events documentation for more information.

Updating the Webhook

To update your webhook script, just replace the POST handler with the one above. If you are running the script locally, you'll need to stop and restart the node process. You don't need to restart ngrok. In fact, if you do restart ngrok, the URL will likely change and you'll need to go back into the Adobe Developer Console and update the Webhook URL.

If you are running the script through Glitch, Glitch will restart automatically. If you don't want to update your existing Glitch project (or lost it), you can click the button below to start over.

Next Step

With all that done, you're ready to proceed to the next step. Continue to Step 3.

Last updated 3/4/2022

Was this helpful?

Yes

No