Announcement

Collapse
No announcement yet.

How do I verify/authenticate a 3dcart webhook?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I verify/authenticate a 3dcart webhook?

    I am using the 3dcart webhook on new order to process recurring (auto ship) orders, but I'm finding the lack of documentation on the webhooks very difficult to work with. I am assuming that a new recurring order will also send the order information to the webhook. Now, I am wondering how I could verify that the request I receive is a valid 3dcart request. As it stands right now, anyone with the knowledge of the api url and some order information can call my api.

    Is there some 3dcart api that I can use to verify it?

    Also, isn't there any mechanism to test a recurring order webhook? The only thing I can do right now is purchase an item and reship it everyday, and wait 24hrs to see if it all worked.

  • #2
    There doesn't appear to be anything at the moment. It would be great if 3dcart would move to something like what GitHub does. Solutions to this problem have already been worked out for other systems so it really does make sense for 3dcart to move toward fixing this security hole.

    Comment


    • #3
      I believe the webhook is just a callback URL of sorts, so it just lets your system know that a new order was placed... it's then up to your system to verify (by polling the New status), and then process that data appropriately for your system. So, theoretically, if someone were to somehow invoke your system via the webhook, your system would poll 3dcart, find no new orders, and then go back to waiting. Or, in your code, do check the source of the request, and if it's not from 3dcart, take no action.

      Comment


      • #4
        Originally posted by Alupis View Post
        I believe the webhook is just a callback URL of sorts, so it just lets your system know that a new order was placed... it's then up to your system to verify (by polling the New status), and then process that data appropriately for your system. So, theoretically, if someone were to somehow invoke your system via the webhook, your system would poll 3dcart, find no new orders, and then go back to waiting. Or, in your code, do check the source of the request, and if it's not from 3dcart, take no action.
        Although I agree the method you describe is technically possible, it leaves several open ended issues. For example, "check the source of the request" is certainly possible, but attributes about that source (controlled by 3dcart) may change and cause the script to incorrectly fail. It would be much better to implement a documented security method, of which there are quite a few to choose from (two examples given earlier).

        Comment


        • #5
          @kim You do realize the REST API does use tokens, secret keys, and other forms of security already?

          Comment


          • #6
            Alupis -- yes I do -- still think there is room for improvement here though, specifically with webhooks.

            Comment

            Working...
            X