`WebhookEventMessageHandler` is ignoring custom headers defined in an App `flow-action.xml` manifest when admin worker is disabled

[stefanpartheym]

PHP Version

8.1

Shopware Version

6.4.20.2

Expected behaviour

The request sent by WebhookEventMessageHandler should consider the headers defined in the app's flow-action.xml file:

<flow-actions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:noNamespaceSchemaLocation="https://raw.githubusercontent.com/shopware/platform/trunk/src/Core/Framework/App/FlowAction/Schema/flow-action-1.0.xsd">
  <flow-action>
    <meta>
      <name>REDACTED_VALID_NAME</name>
      <label>READCTED</label>
      <label lang="de-DE">READCTED</label>
      <url>REDACTED_VALID_URL</url>
      <sw-icon>regular-envelope</sw-icon>
      <requirements>orderAware</requirements>
    </meta>
    <headers>
      <parameter type="string" name="content-type" value="application/json" />
      <parameter type="string" name="authorization" value="{{ authType }} {{ authToken }}" />
    </headers>
    <!-- Further stuff like config, etc... -->
  </flow-action>
</flow-actions>

Actual behaviour

The request sent by WebhookEventMessageHandler only contains headers set in WebhookEventMessageHandler::__invoke. see:

• WebhookEventMessageHandler.php line 48
• WebhookEventMessageHandler.php line 53

Headers set on those lines are:

• Content-Type
• sw-version
• sw-user-language
• sw-context-language

But custom headers like authorization as described in the flow-action.xml file are ignored.

However, if the admin worker is enabled (enable_admin_worker: true), the webhook will be sent by the WebhookDispatcher itself synchronously, which considers all headers of the AppFlowActionEvent (see WebhookDispatcher.php line 303).

How to reproduce

Disable the admin worker:

shopware:
  admin_worker:
    enable_admin_worker: false

Create a custom App with flow action definition as described in this guide.

Customize a flow (like "Order placed") to trigger the custom flow action.

Observe the resulting records in the webhook_event_log table in column request_content, which will not contain custom headers in the headers property.

[shopware-issue-bot[bot]]

We found the following existing issues which may help or are related to your topic:

• Update WebhookDispatcher to work with app flow action
• Request dispatched by app flow action is missing shopId for authentication
• Update app manifest element for flow action
• Feature request: Add more authorization types (like oAuth 2.0) to the flowbuilder webhook requests
• Create handler for Stop flow action
• Fix log message contain real flow id
• Core bug in swagflowbuilder
• Flow Builder: Broken popup with Flow "Checkout / Order / Return / Created" -> Aktion: webhook
• [GitHub] Fix log message contain real flow id
• Implement flow builder webhook log