Webhook triggers

NOTE: Webhook triggers are very powerful and without proper configuration, quite dangerous. For this reason, webhooks triggers are disabled by default in Wunderautomation. To enable webhook triggers, go to Automation -> Settings -> General and enable webhooks.

Webhook URL #

Each webhook trigger has to have a unique link. The link consists of two parts

Webhook slug #

The webhook slug is the base URL for all incoming webhooks, it’s the first part of the webhok url after the domain name. The default value is ‘wa-hook’ but you can modify it to any value that you see fit.

Webhook unique identifier #

To differentiate between webhooks, each webhook gets a unique identifier. The default identifier value is a randomized 12 character long string. Just as with the slug, you can modify this to a value you e fit. Please be aware of that WunderAuomation does not check for duplicate webhook keys. If you define two workflows with the same unique key only one of them will be executed and it’s not possible to determine which one.

The WordPress base URL, the webhook slug and the unique identifier are combined into the unique URL for a webhook.

Authentication #

Webhook security is very important. WunderAutomation provides three different authentication mechanisms to authenticate an incomming http request. It’s possible to use zero, one or more authentication mechanisms.

Basic authentication #

Classic HTTP basic authentication as defined in RFC 7616. The Basic authentication method is enabled by default with a random username and password.

Please note that this method sends username and password in (almost) clear text. Should only be used on sites with SSL (https) enabled.

ParameterDescription
UsernameThe Username
PasswordThe password

API key in header #

Authenticates by checking a given HTTP header (defined in the workflow) for the correct API key.

Please note that this method sends the API key in clear text as an http header. Should only be used on sites with SSL (https) enabled

ParameterDescription
HTTP HeaderThe name of the HTTP header where WunderAutomation should look for the API key. Example: X_API_KEY
ValueThe API key. Note that this value is unique and different for each individual webhook workflow.

HMAC Signed payload #

Authenticates by verifying that a HMAC signature of the payload (posted data) signed with a shared secret key matches with the value provided in the header. The payload is signed using the SHA-1 algorithm (as it used by ie Gitbub).

This method never sends any secrets between the client and server, it is considered the safest of the three available methods.

ParameterDescription
HTTP HeaderThe name of the HTTP header where WunderAutomation should look for the signature. Example: X_HUB_SIGNATURE
SecretThe shared secret between the server (WunderAutomation) and the client (the application / script that calls the webhook).

Pseudo code #

Sending a valid HTTP request to a webhook using HMAC signed payload authentication:

Parameters and objects #

A webhook trigger can inject up to four different objects into the workflow, a post, an order, a user or a comment. It’s possible to inject more than one object into the workflow, but only one object of each type.

The object the webhook provides is determined by the parameters passed to the webhook:

The above parameter configuration assumes that the client that calls this webhook provides two parameters; post_id and user_id. The parameters can be passed as REQUEST URL parameters (in the request URL), as x-form-encoded parameters in the REQUEST BODY or as JSON in the request body.

Example:

https://example.com/wa-hook/abc123abc123?post_id=999&user_id=123

The above URL would trigger the workflow with a webhook trigger id = “abc123abc123” and inject the post with id=999 and user with id=123 into the workflow. The filters and actions in that workflow can then use these two objects for filtering and as parameters.

Note that it’s only possible to pass inteteger values as webhook parameters.

If now ALL the objects defined by the parameters resolves to valid WordPress objects, the webhook will silently fail.

Response codes #

The response is sent as JSON or plain text depending on the request Content-type header. In both cases, the following parameters are returned.

CodeMessageHTTP statusDescription
failUnkown hook code404No webhook trigger found with the unique id passed
failObjects not found400One or more of the passed objects id did not resolve to a valid WordPress object
failAuthentication failed401Authentication failed
okFilters did not pass200The workflow initialized as expected, but the workflow filters stopped the actions from executing.
oksuccess200The workflow initialized as expected and the actions was executed.

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *