Webhooks support for subscriber events

[kevinansfield]

no issue

Support for http://resthooks.org style webhooks that can be used with Zapier triggers. This can currently be used in two ways:

a) adding a webhook record to the DB manually
b) using the API with password auth and POSTing to /webhooks/ (this is private API so not documented)

⚠️ only https URLs are supported in the webhook target_url field 🚨

• add webhooks table to store event names and target urls
• add POST and DELETE endpoints for /webhooks/
• configure subscribers.added and subscribers.deleted events to trigger registered webhooks

[kirrg001]

Note: We should merge and release #9199 before this. #9199 for Tuesday then 👍

[jloh]

Is the plan for these to be used for things other than zapier? ie I can create hooks to a gateway I've written to get events from ghost?

If so, are they going to be signed? It'd be great if they were signed like GitHub ones! https://developer.github.com/webhooks/securing/

[kevinansfield]

@jloh this is for outgoing webhooks, I don't think the GitHub style signed requests make sense here - you already need to have a client_id/secret and access token because the webhook endpoints are behind the authentication. It's a basic implementation of http://resthooks.org.

Right now we're only looking to do the basics that are needed to work with Zapier and will only work with a couple of events to start: subscriber.create and subscriber.delete

"New post" events in Zapier will be triggered via polling instead.

[jloh]

The receiver (zapier, other service etc) still need a way to verify that the webhook they receive is genuine and not from someone else. The GitHub method of signing hooks is mentioned on their security page http://resthooks.org/docs/security/

[kevinansfield]

Signing may well be added later on, it's not something we're looking at for this early version. Security with Zapier is handled through the unique target_url and UUID of the webhook in Ghost - to exploit the receiver in Zapier someone would have had to access your database or sniff HTTP traffic on the original webhook creation request if you are hosting your blog on HTTP instead of HTTPS.

[ErisDS]

This is a very different pattern to any other code on the server side, so I can see that it's been a real struggle - this falls strongly in line with the conversation we had recently about having to invent everything all the time.

As the code works - it can be merged, no changes are really needed - however all of my comments are things we somehow need to codify into the codebase & surrounding documentation so that the way to solve these problems becomes obvious and not constant reinvention tests!

[kevinansfield]

@ErisDS I've attempted a refactor to make this more Ghost-like in 1e75a11, feel free to shoot that approach down if I've gone the wrong way, I'm certainly not attached to it! 😄

[kevinansfield]

Is that their official limit?

No, they don't have any official limits so it's possible they will use a different format in the future. This is an example of one of the resthook URLs they're currently creating:

https://hooks.zapier.com/hooks/standard/2665800/ae8965c1740e4db78571dfb486f7ccd0/
(81 chars)

If we were to limit the composite index to 191 chars it needs to be split between the event name and the URL, so something like 30/161. That's on the assumption we never have our own event names > 30 chars (maybe 35 would be more reasonable?) and resthook URLs of other services don't reach double the length of Zapier's which I think is reasonable but we have no data to back that up.

[kevinansfield]

I've been looking at other webhook URL examples

https://discordapp.com/api/webhooks/380692408364433418/mGLHSRyEoUaTvY91Te16WOT8Obn-BrJoiTNoxeUqhb6klKERb9xaZkUBYC5AfduwYCCy
(123 chars)

https://hooks.slack.com/services/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
(77 chars)

Discord is getting pretty close to the suggested 161 or 156 limit for target_url. For future compatibility I'd probably swing towards dropping the db constraint and reverting to the in-app validation when adding so there's no real chance of running into length limitations.

[kevinansfield]

I've reverted the db-level uniqueness constraint. Running a quick live test then I'll remove the WIP flag.

[kevinansfield]

@kirrg001 comments addressed

[kirrg001]

Does not break anything. Should be good to go now.