GH-125 event_webhook module for webhook sign verification #118
Conversation
|
@abhupadh thanks for the PR. |
|
okay, will make the changes |
francoisledroff
left a comment
francoisledroff
left a comment
There was a problem hiding this comment.
Could we get rid of the caffeine dependency ?
and use a Hashmap instead if you strongly feel there is a need for a cache ?
could you also push your change your PR an push to a main remote https://github.com/adobe/aio-lib-java repo branch so the integration test can be ran ?
Yes, I removed the caffeine dependency and used a hashmap instead. Also, removed the retrofit with open feign. Check my latest commits. I have these tests failing which I need to fix. So, for that I think you mentioned to push this change to main branch? |
I guess you forgot to push, I still see caffeine Utils and dependencies ... |
|
I submitted a PR against your branch abhupadh#1 showing you the way |
francoisledroff
changed the title
events_webhook/src/main/java/com/adobe/aio/event/webhook/service/EventVerifier.java
Show resolved
Hide resolved
|
|
||
| @Service | ||
| public class EventVerifier { | ||
|
|
There was a problem hiding this comment.
@Service / component annotation is required so that it can be auto injected in eg-auditor's -> EventServiceImpl as here in this PR
There was a problem hiding this comment.
If this is the only reason that we need a @service/ @component annotation, I don't see it as a compelling reason to include the Spring framework dependency.
Why can't we simply create an instance of EventVerifier in eg-auditor?
|
@francoisledroff : the integration tests are failing for the |
|
please use the PR I did against your branch see abhupadh#1 |
|
This is not only used by customers but our own eg-auditor as well. |
|
|
||
| <dependency> | ||
| <groupId>com.google.code.findbugs</groupId> | ||
| <artifactId>jsr305</artifactId> |
There was a problem hiding this comment.
we need to remove this
| <groupId>io.github.openfeign</groupId> | ||
| <artifactId>feign-core</artifactId> | ||
| </dependency> | ||
|
|
There was a problem hiding this comment.
let's revert this unnecessary change of core/pom.xml
|
|
||
| } | ||
|
|
||
| public EventVerifier() { |
There was a problem hiding this comment.
your current implementation is forcing the use of your cache .
I would rather just see in this PR just a fully reusable public static method that helps you verify the signature.
as documented here https://developer.adobe.com/events/docs/guides/#security-considerations
events_webhook/src/main/java/com/adobe/aio/event/webhook/service/EventVerifier.java
Show resolved
Hide resolved
| import javax.annotation.Nonnull; | ||
| import javax.annotation.Nullable; | ||
|
|
||
| public interface CacheService { |
There was a problem hiding this comment.
I would really like to get rid of this cache.
our customer can easily use any cache service/framework they want.
this PR should only be about showing how to validate the message headers' signature and no more
| <artifactId>feign-form</artifactId> | ||
| <version>${feign-form.version}</version> | ||
| </dependency> | ||
| <dependency> |
There was a problem hiding this comment.
let's remove these unwanted spring and findbugs dependencies
|
closing in favor of this enhanced PR #144 |
|
closing this as it was replaced by #144 |
3 participants
Description
events_webhookwhich has theI/O Eventswebhook signature verification methodRelated Issues
events_webhookadd a webhook signature verification utility #125Motivation and Context
Helps I/O Events Customers to setup their webhook verification using this sdk feature.
How Has This Been Tested?
Has the test
EventVerifierTestwhich tests the api for verifying signature.Types of changes
Checklist: