WebHooks (Security and other Ideas)


(simon) #1

There’s been some discussion on twitter about what people want out of our webhooks. I’d like to open up the floor; What would you like out of our webhooks. Here’s some ideas that have been suggested before to get the ball rolling…

  • SSL cert pinning (you tell us what cert you’re using and we’ll only talk to that.
  • SSL only (now that lets encrypt is a thing)
  • Re-Push webhooks when you add a note, or change the category.
  • An api endpoint where you can ask for the last n webhooks to be replayed.
  • Authorisation webhooks, we could actually ask you before approving transactions (maybe, lots of issues to think about here…)

IPv6
(Richard Dingwall ) #2
  • webhook payload should include a signature hash :slight_smile:

(simon) #3
  • Let the webhook receiver respond with a kind of JSON patch. With this you could do things like “I want to automatically add the word “business trip” to any txns i make in the next week.”

(Daniel Stone) #4

Once that’s done (and the default certificate-validation policy, in absence of user-provided constraints such as pinning, documented), the examples should be changed to https:// rather than http://, in order to not encourage users to send financial data in plaintext.


(Marco Slater) #5

Certificate based authentication goes both ways. Perhaps present a client certificate to the webhook receiver server, as an alternative option to signature.


(Joshua Turner) #6

Not really a web hook suggestion but for API ideas @simon heres mine;

  • API Endpoint for updating a feed item I’ve created. (For example with a Amazon order update it can update the feed item)
  • API Endpoint for removing a feed item I’ve created.
  • API Endpoint for listing the feed items I’ve created
  • API Endpoint for bumping up a feed item to the top of the list.

“I’ve created” just meaning from the client Id that created it.

Just a random question I’d like to be able to bump feed items back to the top of the list. It’s a choice between removing the feed item and recreating it - saving creating another endpoint, or is it easier to update a timestamp and have it move up the list - since essentially its the same feed item with new content not a new feed item?


(Ben) #7

An authorisation webhook would be pretty sweet. Difficult to get working potentially without delaying authorisation though, I imagine.


(Michael) #8

Top up notifications through the Webhook’s would be nice!