feat: Test webhook from backend

[Zaimwa9]

Thanks for submitting a PR! Please check the boxes below:

• I have added information to docs/ if required so people know about the feature!
• I have filled in the "Changes" section below?
• I have filled in the "How did you test this code" section below?
• I have used a Conventional Commit title for this Pull Request

Changes

The goal of this PR is to move the webhook testing logic from the frontend (with custom method to mimic backend signature) to the backend
Frontend payload exemple (audit log)

{
    "payload": {
        "created_date": "2020-02-23T17:30:57.006318Z",
        "log": "New Flag / Remote Config created: my_feature",
        "author": {
            "id": 3,
            "email": "[email protected]",
            "first_name": "john",
            "last_name": "doe"
        },
        "environment": null,
        "project": {
            "id": 6,
            "name": "Project name",
            "organisation": 1
        },
        "related_object_id": 6,
        "related_object_type": "FEATURE"
    },
    "scope": {
        "id": 2,
        "type": "organisation"
    },
    "secret": "my-secret",
    "webhookUrl": "http://localhost:3001/webhook"
}

• New WebhookViewSet with test endpoint
• Re-uses Organisation/Environment permissions based on scope payload object (on top of existing org/env pk from url)
• Reviewed errors handling: Success = 200 (unchanged), any error from end-user will return status 502 bad gateway and a text message with status and raw error (e.g Webhook returned error status: 400)
• Couple of UI fixes (see screenshots)

How did you test this code?

• Added unit tests
• Spawned 2 webservers (python / node) testing against them

1. Go to environment => webhooks or organisation settings => webhooks
2. Prepare a webhook endpoint
3. Test with / without different signatures
4. Try different error responses

example code:
pip install flask flask-cors
python server.py

# server.py
from flask import Flask, request, jsonify
import hmac
import hashlib
import json
from functools import wraps
import os
import datetime
from flask_cors import CORS

app = Flask(__name__)

WEBHOOK_SECRET = "your-secret"
CORS(app, resources={
    r"/*": {
        "origins": "*", 
        "methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
        "allow_headers": ["Content-Type", "Authorization", "x-flagsmith-signature"]
    }
})

@app.route('/webhook', methods=['POST'])
def webhook():
    received_signature = request.headers.get('x-flagsmith-signature')
    
    if not received_signature and WEBHOOK_SECRET:
        return jsonify({
            'status': 'error',
            'message': 'Missing signature header'
        }), 401

    if WEBHOOK_SECRET:
        request_body = json.dumps(request.json)     
        expected_signature = hmac.new(
            key=WEBHOOK_SECRET.encode(),
            msg=request_body.encode(),
            digestmod=hashlib.sha256
        ).hexdigest()

        print(f"Expected signature: {expected_signature}")
        print(f"Received signature: {received_signature}")
        if not hmac.compare_digest(expected_signature, received_signature):
            return jsonify({
                'status': 'error',
                'message': 'Invalid signature'
            }), 401

    print("Webhook received and verified:", {
        'headers': dict(request.headers),
        'body': request.json,
        'timestamp': datetime.datetime.utcnow().isoformat()
    })

    return jsonify({
        'status': 'success',
        'message': 'Webhook received and verified successfully'
    })

if __name__ == '__main__':
    port = int(os.environ.get('PORT', 3001))
    app.run(host='0.0.0.0', port=port)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

3 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
docs	⬜️ Ignored (Inspect)	Visit Preview		Apr 30, 2025 9:43am
flagsmith-frontend-preview	⬜️ Ignored (Inspect)	Visit Preview		Apr 30, 2025 9:43am
flagsmith-frontend-staging	⬜️ Ignored (Inspect)	Visit Preview		Apr 30, 2025 9:43am

[Zaimwa9]

Curious to have your opinion on this typing and cast @khvn26 before using it more (it's to tackle this environments/views.py:291: error: "type[T]" has no attribute "objects" [attr-defined])

[khvn26]

I understand why it's done here, but I don't think this is necessarily a good solution.

I'd try following the official way to deal with this first by using the ._default_manager attribute.

[Zaimwa9]

Ah perfect thanks I will look into it

[khvn26]

Came up with some comments/questions.

[khvn26]

I believe the recent changes are a massive improvement, good job 👍

There's still a couple comments I'd like you to address, though:

1. I'm not particularly fond of using static sample data, though, as it can get stale easily. Ideally, we should be able to reuse existing webhook tasks in the check.

2. Skimming through the code, I've found (currently unused?) trigger_sample_webhook utility function and TriggerSampleWebhookMixin that we need to either refactor and integrate into your work, or get rid of.

[Zaimwa9]

@khvn26 made the changes. To answer your questions:

1. I went half-way by using the models to generate the sample data so they are closer to reality while remaining predictable (for testing). They are using the existing methods so not much more maintainance, thanks for raising it
2. Indeed, it seems the purpose was similar, I could have caught it. I removed it as it was unused. Anticipating the question. I voluntarily didn't use _call_webhook there because as of it doesn't pass the error through which is imo helpful for users setting up the webhook and modifying could be a breaking change