Oauth / Webhooks

louis6 · January 28, 2024, 9:19am

Hi Bubblers !

I have an app and trying to integrate it with Pipedrive.

The use case is :

my users will connect their Pipedrive account from my App. I allow users to connect their pipedrive account with an OAuth2 flow as request in Pipedrive doc. Everything works well.
I create a webhook in their pipedrive account by calling a POST endpoint from my bubble app (server-side) to pipedrive, Authenticating with Bearer access token. Works well.
Then my app will receive webhooks from their Pipedrive account to deal with their data. And here is the tricky part as I’d like to secure the endpoint by authorizing only authenticated calls received.

But :
Pipedrive webhooks onlysupport basic HTTP auth.
So if I want to secure the endpoint where I receive webhooks from pipedrive, I have to provide pipedrive http_auth_user / http_auth_password when creating the webhook, as mention in their doc.
But you can’t do this from bubble as you don’t have access to users password (which is good). Is there anything I am missing ? Could someone help with this ? How could I do this ?

I also tried a workaround by creating a specific password for each of my client, store it (with privacy rules, no one can see it), send it in a encrypted way when I create the pipedrive webhook. This way the endpoint would be without authentication, but I would be able to catch if the authorization headers match one of my client account specific password, and don’t allow any workflow from an attacker.
I can see that it works, and pipedrive sending back in the webhook headers the Authorization(containing “Basic user:password”), but it is base64 encoded, and I can’t figure out how to decode it server side on bubble ? So can’t do the matching with my database ? Any idea ?

Any help would be much appreciated

ianellinwood · December 17, 2024, 10:38pm

Did you ever find a solution? I’m dealing with a similar issue.

rpetribu · December 18, 2024, 12:58am

Your users will need to authenticate with Ouath.

This processo will lead them to their PipeDrive account, where they will need to grant access to your app to access their account.

This will redirect them to a page in your app, where you will receive their token and a refresh token. You will need to store their refresh token, that will be used in every call in order to regenerate their token (that expires in some minutes if I remember correctly).

louis6 · December 18, 2024, 10:18am

Hi
I ended up generating a random password server side on Bubble for each account that connects to Pipedrive and save it to the account.

The app provide it when creating the webhook through the Pipedrive API.

Everytime the Bubble app receives a webhook, I decode the Authorization Basic and find the corresponding connected account, or trigger an error processing workflow if it doesn’t.

I finally decode the Authorisation Basic from pipedrive with a plugin “base 64 encode/decode”.
Don’t usually like to use plugins but didn’t find an other solution.

It has some drawbacks but it works well like this.
I believe pipedrive has made some changes in their API, and I am sure other smartest solution exist

louis6 · December 18, 2024, 10:20am

Yes
What you describe is the Oauth flow and how to handle further api call and refresh their access token.
The point here is more how to securely authenticate created/incoming webhooks received from pipedrive after the Oauth process has been done

Topic		Replies	Views
API Connector with OAuth2 for Pipedrive APIs	0	207	November 9, 2023
O-auth endpoint APIs	0	10	November 21, 2024
Stripe Webhook Authentication APIs	10	2210	April 19, 2021
OAuth Like User-Agent Flow... But There's No User Endpoint... How to Configure? (Actually: Self-handled Authorization for OAuth APIs / Offline Access on Behalf of User) APIs	29	5322	May 12, 2024
User agent flow without User-Profile-Endpoint APIs	8	35	February 12, 2025

Oauth / Webhooks

Related topics