About Zapier Community
New to our Community? Get to know more about our space and how to make the most of your time here.

Code of Conduct Community FAQ's Zapier Common Questions What to Expect

Get Started With Zapier
New to Zapier? We have got you covered with our Zapier 101 Resources.

Zapier Essentials

Get Support
Have a question? Let's get you an answer!

How Do I...? Troubleshooting Code & Webhooks Developer Zone

Other Help Resources
Wait, there's more! Check out these Community sourced spaces for additional resources.

Zapier Help Center Hire an Expert

Zapier Products
Learn more about Zapier's new products.

Zapier Tables Zapier Interfaces

Zapier Reading
All of our best learning resources can be found here.

Featured Articles Show & Tell AI Hub Zapier Tools Hub

Learning Groups
Excited to meet other builders? Check out our interest areas full of doers, dreamers, and in-betweeners.

User Groups

Other Learning Resources
Some of our favorite additional ways to upskill your Zapier knowledge.

Zapier Learn Zapier Blog Zapier Webinars

Product Updates
Check out what is new and upcoming with Zapier with our regular product updates.

Product Updates

Early Access Program
Want to join Early Access? Learn more here.

Question

Best practice for resthook security - invalid signature

  • 10 March 2021
  • 1 reply
  • 88 views
E

I’m developing a Zapier app, via the CLI, that uses RestHooks.

I want to support signed webhooks, so when the Zapier user, when making a zap, creates the integration with my app, in addition to putting in their api key (for my service), they can optionally add in a shared secret, which will be used to sign the webhooks from my service to Zapier.
 

I’m checking the signatures in the “perform” function, but I’m not sure what the best practice is, when the verification fails.

Right now, I’m throwing a `z.errors.HaltedError`, but this is not doing what I expected.

When I send a bad signature, when I fetch logs, I see the HaltedError, but the customer’s Zap shows as “Success”, including data about the second step in the Zap.

Zapier is also returning a 200 response to the webhook - which is fine, as we don’t really want the attackers to keep trying.

So, my question is, when an inbound webhook fails the validation (ie, it is being replayed or is otherwise an attack), what error should I throw so that the customer’s properly informed and not charged for zap run/attack/etc.

 

This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

1 reply

Z
Userlevel 7
Badge +9

Hmm. Seems like that should keep the Zap from proceeding. I know I’d tested that with a polling trigger just the other week. (Sidebar: I actually found it too effective - if the trigger throws halted on its first run, the Zap will unceremoniously turn itself off. TLDR be careful with halted in polling triggers.)

 

For the sake of debugging, try switching to a general error and see if that changes the behavior.  https://zapier.github.io/zapier-platform/#general-errors.  Also you might add some z.console.log statements around that area of your code and make sure that it’s in fact reaching the error as you expect.  Let us know what you learn. If I get some time later I’ll write a test to explore for myself what goes on with halted in hook performs.  Not sure I’ve ever actually done that, and it is possible it doesn’t behave the way I’d expect.  

Terms & Conditions