🚨 Warning: Breaking change in Webhooks

Hey @Community

We are rolling out a breaking change to the structure of the webhook payloads sent by the Speckle servers. It is going to remove a gotcha™ moment from using our webhooks.

Currently a webhook looks like this:

  "payload": "{a bunch of data as a json object}"

After the change:

  "payload": {a bunch of data as a json object}

Notice the missing " marks from around the payload value.
That is the breaking change, moving forward, starting from server 2.12.0 we are not going to double json stringify the payload value, which was arguably not the best in the first place.

What this gives you, the consumer of the webhook event, is after you, or your webframework of choice de-serializes the body of the incoming webhook request, you DO NOT need to de-serialize the value of the payload key anymore.

Sorry for breaking stuff, but sometimes its best to do these changes.
Happy Speckling,

a friendly reminder, every webhook request includes an X-WEBHOOK-SIGNATURE header in the request. The value of this header item is a hex digest of a sha256 hmac generated from the webhook payload and the WEBHOOK_SECRET that can be set when creating or updating the webhook.

Validation of the signature in python just a few lines:

import hmac
import hashlib

# same value, that is set for the server webhook secret
secret = 'your webhook_secret'
# notice, this is a byte string, the raw body of the request
message = b'{"payload":{"streamId":...}'

hmac_result = hmac.new(secret.encode('utf-8'), message, hashlib.sha256).hexdigest()

assert hmac_result == value of "X-WEBHOOK-SIGNATURE" header