I am looking to ask about adding access to the rawBody of the webhook when a request comes in. I need this in order to verify the signature that gets passed along in the signature.
My main purpose currently building a Slack app but I anticipate any public usage of the webhook would require a similar verification.
Hey @dda - I don't think it's been prioritized just yet, but I'll give the corresponding ticket a bump on your behalf and let you know as soon as there's been some movement.
I did build out something similar for a Discord app recently, but resorted to spinning up a basic Express server for handling the verification.
Kinda defeats the purpose of Workflows by having a middleman...
The input/output of workflows need some work since this issue also came up when I was trying to play with Asana since they expect a very the secret to be set in the response header.
This same issue happens trying to validate Stripe Webhook signatures. If we want to be completely sure that a request is sent by Stripe, we need to validate using the raw body.
Ran into the same problem trying to validate a webhook signature from Xero. Configuring your server — Xero Developer, now I have to implement "something" outside of Retool Workflows
Thanks for the bumps, y'all! The additional context is super helpful.
For anybody running an on-prem deployment, we recently defined an environment variable that is capable of enabling this. By setting WORKFLOWS_WEBHOOKS_INCLUDE_RAW_PAYLOAD to true, you can access the raw request body as startTrigger.metadata.rawDataBase64. This should be available on the 3.196 release.
Note that this functionality does not currently exist for cloud instances, as we are evaluating the potential impact on our infrastructure, but I'll provide another update as soon as I can.
No update on the ticket. I did see that the ticket' status is 'ready for work' which means it should hopefully be getting assigned to an engineer soon.
From Darren's comment above, it seems that self hosted users are able to toggle the mentioned variable to get the raw data payload. If you are on cloud, then this will not be possible until the ticket is completed.