I’m developing a Zapier app, via the CLI, that uses RestHooks.
I want to support signed webhooks, so when the Zapier user, when making a zap, creates the integration with my app, in addition to putting in their api key (for my service), they can optionally add in a shared secret, which will be used to sign the webhooks from my service to Zapier.
I’m checking the signatures in the “perform” function, but I’m not sure what the best practice is, when the verification fails.
Right now, I’m throwing a `z.errors.HaltedError`, but this is not doing what I expected.
When I send a bad signature, when I fetch logs, I see the HaltedError, but the customer’s Zap shows as “Success”, including data about the second step in the Zap.
Zapier is also returning a 200 response to the webhook - which is fine, as we don’t really want the attackers to keep trying.
So, my question is, when an inbound webhook fails the validation (ie, it is being replayed or is otherwise an attack), what error should I throw so that the customer’s properly informed and not charged for zap run/attack/etc.