fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Determine if a webhook was triggered by an API client

Open glen-84 opened this issue 3 years ago • 4 comments
trafficstars

Determine if a webhook was triggered by an API client

Description

When comparing a webhook event for user.update when triggered via the web and via an API client, there isn't much to tell them apart, other than info.userAgent which is set for the former but not the latter.

We want to skip some webhook code if the request was triggered via an API client (f.e. the PHP client). I tried adding:

$this->headers[] = 'User-Agent: FusionAuth PHP Client 1.36.0';

... to the PHP client, but it didn't seem to make its way back to the webhook event.

Is something like this possible/easy? Or another field under info to differentiate trigger sources?

Use case: Bidirectional synchronization

FusionAuth -> external system External system -> FusionAuth

Avoid: External system -> FusionAuth -> External system.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Related issues

  • https://github.com/FusionAuth/fusionauth-issues/issues/1543 is the generic webhook improvement tracking feature

glen-84 avatar Apr 22 '22 15:04 glen-84

Hmmm. The web front end uses the API internally too, so I'm not sure we'd implement this.

You could do this on your own by leveraging the user.data field. Maybe set user.data.apiUpdate = <timestamp> when updating a user via the API and check for that in the consuming webhook?

Or in the more general sense: user.data.updatingEntity = <entityname> or something similar?

mooreds avatar Apr 23 '22 14:04 mooreds

I did think about using user.data, but it's a bit messy, and might not work well when there are concurrent or near-concurrent updates.

Even if we set a UA ourselves, or set another custom header, is there an easy way for you to forward this header to the webhook?

glen-84 avatar Apr 24 '22 11:04 glen-84

This seems related to https://github.com/FusionAuth/fusionauth-issues/issues/1660 but I'm not sure of LOE.

mooreds avatar Apr 25 '22 22:04 mooreds

How about the ability to disable webhooks using a header?

DELETE /api/users/...

FusionAuth-DisableWebhooks: true

That would prevent FA from notifying external systems when the external system triggered the action.

Should be quite easy to implement?

glen-84 avatar May 29 '22 11:05 glen-84