Verify Webhook Requests in Bubble

Need help APIs
1

Hi Bubble Community,

I’m working on integrating Fluidpay’s (Payment Processing Gateway) webhooks into my Bubble application to handle subscription-based transactions. I’ve successfully set up the webhook in Fluidpay and created an API endpoint in Bubble. I’ve also used the “Detect Data” button in Bubble, which confirmed that Bubble can receive the webhook payload.

However, I have a concern about the security aspect of verifying the HMAC SHA 256 signature that Fluidpay includes with each webhook request.

Current Setup:

  1. Webhook Configuration in Fluidpay:

    • I’ve configured the webhook in Fluidpay to point to my Bubble API endpoint.
    • The webhook is set to trigger on transaction creation.

  2. API Endpoint in Bubble:

    • I’ve created an API workflow in Bubble to handle the incoming webhook data.
    • The endpoint successfully detects and processes the webhook payload.

Security Concern:
Fluidpay’s documentation mentions that each webhook request is sent with a header “Signature” that is HMAC SHA 256 signed and then base64 URL encoded. To verify webhook post signatures, the “Signature” header must be decoded and checked using the HMAC SHA 256 algorithm with a secret key.

Here is the relevant excerpt from Fluidpay’s documentation:

Screenshot 2024-05-28 at 4.09.31 PM
Screenshot 2024-05-28 at 4.09.31 PM2162×408 30.7 KB

Here’s the full documentation: Webhooks

Questions:

  1. Does Bubble handle HMAC SHA 256 signature verification natively?

    • If not, what are the best practices for implementing this verification to ensure security?

  2. Steps to Implement External Verification:

    • I understand that using AWS Lambda (or a similar service) can help with this verification. Here are the steps I’m considering:
      1. Set Up AWS Lambda Function:
        • Create a Lambda function that receives the webhook request, verifies the HMAC SHA 256 signature, and then forwards the verified request to Bubble.
      2. Update Fluidpay Webhook URL:
        • Point the Fluidpay webhook to the Lambda function endpoint.
      3. Forward Verified Requests to Bubble:
        • Ensure the Lambda function forwards only verified requests to the Bubble webhook endpoint.

Current Attempt:
I have attempted the following setup based on my understanding:

  • Added a parameter in Bubble’s API workflow to check the response_code and ensure it’s only processing successful transactions.
  • Configured the webhook in Fluidpay and tested connectivity successfully.

Request for Assistance:
Any insights, examples, or guidance on securely verifying Fluidpay webhooks in Bubble would be greatly appreciated. If you have experience with similar setups or can point me to relevant resources, that would be incredibly helpful.

Thank you in advance for your support!

Trevor

2

No. there’s plugin that you can use to validate the signature. You need to activate Bubble detect header too to get the signature

3

Thank you for your response, @Jici !

I appreciate the guidance on using a plugin for signature validation. Could you recommend a specific plugin that you have found effective for HMAC SHA 256 signature verification?

Also, if anyone has a step-by-step guide or best practices for setting up such a plugin in Bubble, that would be incredibly helpful.

Thanks again for your support!

Trevor

4

I prefer to create my own in theses cases. But you can search for HMAC plugins and maybe test some of them.

5

Found this one by @ZeroqodeSupport :

Screenshot 2024-05-28 at 4.56.39 PM
Screenshot 2024-05-28 at 4.56.39 PM1486×350 48.3 KB

Not sure if actions are available for Backend API Workflows though? Anybody out there know of one that has actions for Backend API Workflows?

Thanks,
Trevor

1 Like
6

You can subscribe monthly and cancel after looking. You wont be charged. Monthly subscriptions are prorated with days

2 Likes