API Webhooks 403
onairmarc opened this issue · comments
Affected Product
Which product does this bug affect?
Webhooks
Describe the bug
I just received numerous emails stating that the API Webhooks are failing due to a 403 error.
Given that the error is 403 and not 429, I believe our Cloudflare configuration causes this issue. Is there an IP Range that I can whitelist to prevent this from happening in the future?
To Reproduce
- Setup PCO Webhooks
- Put Cloudflare in front of your site/app
- Get large amounts of webhooks sent all at once and watch the failures begin
Expected behavior
Webhooks shouldn't be blocked. There needs to be a way to identify them while they are being delivered. The easiest way that comes to mind is that there should be a dedicated IP Range that can be whitelisted
Screenshots
Additional Context:
- Endpoint: Receiving Webhooks
- Language: PHP
- Authentication: N/A. Receiving webhooks
Additional context
I contacted PCO Support, who directed me here.
I have..
- Reviewed the documentation found at https://developer.planning.center/docs
- Searched for previous issues reporting this bug
- Removed all private information from this issue (credentials, tokens, emails, phone numbers, etc.)
- Reviewed my issue for completeness
@onairmarc We use AWS infrastructure for delivering webhooks, so the IP range is out of our control. AWS publishes a list of their IP ranges here: https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html ...but I cannot imagine that is going to be what you want since it's such a large list.
We also sign our webhook deliveries, which is documented here: https://developer.planning.center/docs/#/overview/webhooks ...maybe there's a way you could teach CloudFlare to check that? (Sorry I'm not familiar with CloudFlare, so I don't know.)
Last, you should know that we do back off and retry deliveries later, so your webhooks should get through eventually. I hope that helps!