Structured responses to webhook events (#265)

bradenkeith · web-flow · commit bd3e4fb50c7d · 2025-03-21T15:19:52.000-05:00
* Add WebhookResponse class for handling webhook actions and responses

* Refactor WebhookResponse create method and improve validation

* Resolve linting error

---------

Co-authored-by: Braden Keith &lt;bkeith@romegadigital.com&gt;
diff --git a/lib/Resource/WebhookResponse.php b/lib/Resource/WebhookResponse.php
@@ -0,0 +1,111 @@
+<?php
+
+namespace WorkOS\Resource;
+
+use WorkOS\Webhook;
+
+/**
+ * Class WebhookResponse.
+ *
+ * This class represents the response structure for WorkOS webhook actions.
+ */
+class WebhookResponse
+{
+    public const USER_REGISTRATION_ACTION = 'user_registration_action_response';
+    public const AUTHENTICATION_ACTION = 'authentication_action_response';
+    public const VERDICT_ALLOW = 'Allow';
+    public const VERDICT_DENY = 'Deny';
+
+    /**
+     * @var string
+     */
+    private $object;
+
+    /**
+     * @var array
+     */
+    private $payload;
+
+    /**
+     * @var string
+     */
+    private $signature;
+
+    /**
+     * Create a new WebhookResponse instance
+     *
+     * @param string $type Either USER_REGISTRATION_ACTION or AUTHENTICATION_ACTION
+     * @param string $secret Webhook secret for signing the response
+     * @param string $verdict Either VERDICT_ALLOW or VERDICT_DENY
+     * @param string|null $errorMessage Required if verdict is VERDICT_DENY
+     * @return self
+     * @throws \InvalidArgumentException
+     */
+    public static function create($type, $secret, $verdict, $errorMessage = null)
+    {
+        if (!in_array($type, [self::USER_REGISTRATION_ACTION, self::AUTHENTICATION_ACTION])) {
+            throw new \InvalidArgumentException('Invalid response type');
+        }
+
+        if (empty($secret)) {
+            throw new \InvalidArgumentException('Secret is required');
+        }
+
+        if (!in_array($verdict, [self::VERDICT_ALLOW, self::VERDICT_DENY])) {
+            throw new \InvalidArgumentException('Invalid verdict');
+        }
+
+        if ($verdict === self::VERDICT_DENY && empty($errorMessage)) {
+            throw new \InvalidArgumentException('Error message is required when verdict is Deny');
+        }
+
+        $instance = new self();
+        $instance->object = $type;
+
+        $payload = [
+            'timestamp' => time() * 1000,
+            'verdict' => $verdict
+        ];
+
+        if ($verdict === self::VERDICT_DENY) {
+            $payload['error_message'] = $errorMessage;
+        }
+
+        $instance->payload = $payload;
+
+        $timestamp = $payload['timestamp'];
+        $payloadString = json_encode($payload);
+        $instance->signature = (new Webhook())->computeSignature($timestamp, $payloadString, $secret);
+
+        return $instance;
+    }
+
+    /**
+     * Get the response as an array
+     *
+     * @return array
+     */
+    public function toArray()
+    {
+        $response = [
+            'object' => $this->object,
+            'payload' => $this->payload
+        ];
+
+        if ($this->signature) {
+            $response['signature'] = $this->signature;
+        }
+
+        return $response;
+    }
+
+    /**
+     * Get the response as a JSON string
+     *
+     * @return string
+     */
+    public function toJson()
+    {
+        return json_encode($this->toArray());
+    }
+}
diff --git a/lib/Webhook.php b/lib/Webhook.php
@@ -44,8 +44,7 @@ public function verifyHeader($sigHeader, $payload, $secret, $tolerance)
         $signature = $this->getSignature($sigHeader);
 
         $currentTime = time();
-        $signedPayload = $timestamp . "." . $payload;
-        $expectedSignature = hash_hmac("sha256", $signedPayload, $secret, false);
+        $expectedSignature = $this->computeSignature($timestamp, $payload, $secret);
 
         if (empty($timestamp)) {
             return "No Timestamp available";
@@ -89,4 +88,18 @@ public function getSignature($sigHeader)
 
         return $signature;
     }
+
+    /**
+     * Computes a signature for a webhook payload using the provided timestamp and secret
+     *
+     * @param  int     $timestamp  Unix timestamp to use in signature
+     * @param  string  $payload    The payload to sign
+     * @param  string  $secret     Secret key used for signing
+     * @return string  The computed HMAC SHA-256 signature
+     */
+    public function computeSignature($timestamp, $payload, $secret)
+    {
+        $signedPayload = $timestamp . '.' . $payload;
+        return hash_hmac('sha256', $signedPayload, $secret, false);
+    }
 }
diff --git a/tests/WorkOS/Resource/WebhookResponseTest.php b/tests/WorkOS/Resource/WebhookResponseTest.php
@@ -0,0 +1,149 @@
+<?php
+
+namespace WorkOS\Resource;
+
+use PHPUnit\Framework\TestCase;
+use WorkOS\TestHelper;
+
+class WebhookResponseTest extends TestCase
+{
+    use TestHelper {
+        setUp as protected traitSetUp;
+    }
+
+    /**
+     * @var string
+     */
+    protected $secret;
+
+    /**
+     * @var int
+     */
+    protected $timestamp;
+
+    protected function setUp(): void
+    {
+        $this->traitSetUp();
+        $this->withApiKey();
+
+        $this->secret = 'test_secret';
+        $this->timestamp = time() * 1000; // milliseconds
+    }
+
+    public function testCreateAllowResponse()
+    {
+        $response = WebhookResponse::create(
+            WebhookResponse::USER_REGISTRATION_ACTION,
+            $this->secret,
+            WebhookResponse::VERDICT_ALLOW
+        );
+
+        $array = $response->toArray();
+
+        $this->assertEquals(WebhookResponse::USER_REGISTRATION_ACTION, $array['object']);
+        $this->assertArrayHasKey('payload', $array);
+        $this->assertArrayHasKey('signature', $array);
+        $this->assertEquals(WebhookResponse::VERDICT_ALLOW, $array['payload']['verdict']);
+        $this->assertArrayHasKey('timestamp', $array['payload']);
+        $this->assertArrayNotHasKey('error_message', $array['payload']);
+    }
+
+    public function testCreateDenyResponse()
+    {
+        $errorMessage = 'Registration denied due to risk assessment';
+        $response = WebhookResponse::create(
+            WebhookResponse::USER_REGISTRATION_ACTION,
+            $this->secret,
+            WebhookResponse::VERDICT_DENY,
+            $errorMessage
+        );
+
+        $array = $response->toArray();
+
+        $this->assertEquals(WebhookResponse::USER_REGISTRATION_ACTION, $array['object']);
+        $this->assertArrayHasKey('payload', $array);
+        $this->assertArrayHasKey('signature', $array);
+        $this->assertEquals(WebhookResponse::VERDICT_DENY, $array['payload']['verdict']);
+        $this->assertEquals($errorMessage, $array['payload']['error_message']);
+        $this->assertArrayHasKey('timestamp', $array['payload']);
+    }
+
+    public function testCreateAuthenticationResponse()
+    {
+        $response = WebhookResponse::create(
+            WebhookResponse::AUTHENTICATION_ACTION,
+            $this->secret,
+            WebhookResponse::VERDICT_ALLOW
+        );
+
+        $array = $response->toArray();
+
+        $this->assertEquals(WebhookResponse::AUTHENTICATION_ACTION, $array['object']);
+        $this->assertArrayHasKey('payload', $array);
+        $this->assertArrayHasKey('signature', $array);
+    }
+
+    public function testCreateWithoutSecret()
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('Secret is required');
+
+        WebhookResponse::create(
+            WebhookResponse::USER_REGISTRATION_ACTION,
+            '',
+            WebhookResponse::VERDICT_ALLOW
+        );
+    }
+
+    public function testInvalidResponseType()
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('Invalid response type');
+
+        WebhookResponse::create(
+            'invalid_type',
+            $this->secret,
+            WebhookResponse::VERDICT_ALLOW
+        );
+    }
+
+    public function testInvalidVerdict()
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('Invalid verdict');
+
+        WebhookResponse::create(
+            WebhookResponse::USER_REGISTRATION_ACTION,
+            $this->secret,
+            'invalid_verdict'
+        );
+    }
+
+    public function testDenyWithoutErrorMessage()
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionMessage('Error message is required when verdict is Deny');
+
+        WebhookResponse::create(
+            WebhookResponse::USER_REGISTRATION_ACTION,
+            $this->secret,
+            WebhookResponse::VERDICT_DENY
+        );
+    }
+
+    public function testToJson()
+    {
+        $response = WebhookResponse::create(
+            WebhookResponse::USER_REGISTRATION_ACTION,
+            $this->secret,
+            WebhookResponse::VERDICT_ALLOW
+        );
+
+        $json = $response->toJson();
+        $decoded = json_decode($json, true);
+
+        $this->assertIsString($json);
+        $this->assertIsArray($decoded);
+        $this->assertEquals(WebhookResponse::USER_REGISTRATION_ACTION, $decoded['object']);
+    }
+}
