Bold Commerce custom webhook
Hi All, I've spent the better part of a morning attempting to figure out how to create a custom Bold Commerce v1 Advanced webhook listener but I can't figure out what my issue is. Hopefully someone here can, or has done this before.
This is the documentation regarding webhooks in Bold:
In our Bold Admin webhook config section this is defined (the url is taken from the Celigo listener)
I first tried setting up the Celigo listener as HMAC 256 using the Bold Signing Secret as the key, pointing to the X-Bold-Signature header for the value. This doesn't work, however. If I test push an event from Bold it tells me there's an error (I wish I had more than that, but unfortunately Bold isn't giving me a reason, just that there's an error).
Next I tried setting up the listener as using Token auth, but the issue there is that the key is in the header whereas the Token auth path is looking at the request body
I'm not new to any of this, however I am new to setting these up in Celigo. I feel like I'm missing something very basic here. Does any of this look correct or is it even possible to set this up in Celigo?
I appreciate all help, thanks!
Comments
Bryan Carroll the first way you had it looks correct (with the HMAC setup). I did notice that the Bold Commerce expects back a 200 code, but by default IO returns a 204 code. Can you try modifying the response code to 200 under the advanced settings? Also, the flow has to be on or else IO will return a 403 code. Additionally, try enabling the debugger in IO (in the top right of the screenshot below) and see if we are actually getting the payload, but Bold Commerce thinks it's failing.
Tyler Lamparter Thanks for the quick reply! Good catch on setting the response code. Unfortunately, it didn't make any difference. The flow is definitely enabled. And I had turned on logging when I was testing but nothing came through, and still isn't. I agree, we're not getting the payload so nothing is getting logged.
I feel like I need more information from Bold to understand what is happening. I think my next step is to reach out to them to see if we can get more detailed error reporting because right now we're guessing.
I'm open to other ideas, too, tho :)
Thanks again!
Hi Tyler Lamparter, the more I think about this the more I believe I don't have the signature constructed correctly. The Bold documentation states that the X-Bold-Signature being passed in the header is hashed from the json-encoded request body, the request timestamp, and the signing key that's defined in our Bold Admin for the created webhook. Is there any way for me to do this in the webhook listener? It doesn't look like there's a way to hook javascript into the listener to aid in processing the request.
Bryan Carroll and I met today and swapped over the webhook setup to a secret url and it's working. However, the preferred authentication is HMAC so that we can validate the requests. For that, we've opened up a support ticket and can update back here after resolution.
Please sign in to leave a comment.