Empty webhook payload


(Michael Schultz) #1

Lately, our webhook has received a number of notifications with an empty body, (and consequently different SHA1 signatures than the ones we compute).
I sent an email to support@dwolla, and was told to post here. What I’m looking for is for someone with access to Dwolla’s logs to check the times we received the empty webhooks, and see what Dwolla tried to send. Times are in California:
2017-02-07 06:16:45: signature: 7646c4aa97148fd953a8b15eb05038a626963e9b
2017-02-07 11:02:15: signature e532318dc6847aee7763138f1ec93963ce83d88a
2017-02-09 05:50:35: signature 25ede4aad6969020df1ac4f447b7433059a1e460

I have the transactionsIds that generated these webhooks if needed. Didn’t want to post them in a public forum.


(Spencer Hunter) #2

Hi @Michael_Schultz, Can you send me your application name and I’ll see if I can take a look in our logs? (Feel free to PM if you want to keep it private). Also, are these webhooks for API v1 or v2?


(Michael Schultz) #3

Hey Spencer. Sorry for taking so long – didn’t know that you had replied until just now. Today saw a few more instances of empty payloads. When you say ‘application name’, you mean our account #?

If so, $dwolla_account = “812-913-5210”;

We’re using API v1.

Here are some instance of transactions that never received the usual “Status”:“pending” webhook notification (because the attempted webhook calls were empty).

If you need the exact times of the empty webhook calls and their signatures, I can provide those.

(*TIME = time that the transaction was created, not the time of webhook)
TIME, DWOLLA_ID, AMOUNT
Feb 28, 2017 8:22 am 17880110 97.00
Feb 27, 2017 8:22 am 17854095 97.00
Feb 25, 2017 5:10 pm 17829755 30.00
Feb 21, 2017 8:22 am 17737622 97.00
Feb 20, 2017 8:22 am 17719516 97.00
Feb 13, 2017 8:22 am 17562596 97.00
Feb 7, 2017 6:16 am 17444980 25.00
Feb 6, 2017 7:22 am 17423334 97.00


(Spencer Hunter) #4

I can see a handful of errors in our logs which state “Unable to contact webhook notification callback”. Is there a possibility that your app missed the POST request from Dwolla for these particular transactions as your subscribed url was down for a period of time? Unfortunately with v1 webhooks we’ll only attempt to POST twice initially and won’t attempt to retry on an exponential backoff schedule.


(Michael Schultz) #5

No, these instances were logged by our webhook. So the webhook was
definitely invoked. I don’t think its related to infrastructure because
they seem to occur repeatedly for the same customer while other customers
around the same time are unaffected. For instance, the last 3 occurrences
were

timestampamountdwollaId
Mar 9, 2017 8:22 am 75.00 18097015
Mar 8, 2017 8:22 am 75.00 18076107
Mar 7, 2017 8:22 am 75.00 18052326All for the same customer (Yenaisy
Gutierrez Perez). The charges are all at 8:22am because that’s when our
script runs that attempts to charge people that have signed up for our
’auto-pay system’.

Each day, we attempted the charge, and a transaction was successfully
generated with your Dwolla\Transactions()->send() API. But our webhook
logged the following (just showing the March 9 results; the others are
similar):
2017-03-09 08:22:24:
2017-03-09 08:22:24: Dwolla signature mismatch: received
362b00c7329c6697fc0979045d1de70f058d5d41, computed
f7c4899807b481fbf32ef0542bc8bc67730c4042
2017-03-09 08:22:24:
2017-03-09 08:22:24: Dwolla signature mismatch: received
362b00c7329c6697fc0979045d1de70f058d5d41, computed
f7c4899807b481fbf32ef0542bc8bc67730c4042

And now that you mention that the POST is attempted 2 times, these entries
in our logs make sense; each time you POST to us, we log the content (blank
line), and the resulting mis-match in signatures. The mismatch arising from
the fact that we’re computing the signature of an empty payload, and you,
presumably, are not.

For comparison, here’s the previous few lines in our webhook log:
2017-03-09 08:22:22:
{“Id”:“18097012”,“Type”:“Transaction”,“Subtype”:“Status”,“Created”:“2017-03-09T16:22:36.000Z”,“Triggered”:“2017-03-09T16:22:17.794Z”,“Value”:“pending”,“Transaction”:{“Type”:“money_sent”,“Notes”:"",“Fees”:[],“Id”:18097012,“Source”:{“Id”:“812-275-4790”,“Name”:“Jose
Aymerich”,“Type”:“Dwolla”,“Image”:“
https://www.dwolla.com/avatars/812-275-4790"},“Destination”:{“Id”:“812-913-5210”,“Name”:"PayJoy
Inc.”,“Type”:“Dwolla”,“Image”:“https://www.dwolla.com/avatars/812-913-5210
”},“Amount”:98.0000,“SentDate”:“2017-03-09T16:22:36.000Z”,“ClearingDate”:“2017-03-14T00:00:00.000Z”,“Status”:“pending”},“Metadata”:null}
2017-03-09 08:22:22: 18097012: -> pending

So the question is… what’s unusual about Yenaisy Gutierrez Perez that’s
making her webhook payloads (as seen by file_get_contents(‘php://input’)),
appear to us as empty??

Thanks for looking into this.
-michael


(Michael Schultz) #6

I’ve narrowed it down to users with accents in their names. Something about having an accent in the name (and therefore in the webhook payload) is causing the payload to appear empty.
Were using PHP, and getting the payload using:
$entityBody = file_get_contents(‘php://input’);

Is this not the recommended way to get the POSTed data?


(Michael Schultz) #7

I’m continuing to have this problem when customers have accent chars in their name. Most recently for Iñaki Beracierto Arroyo for payments made on:
(California time)
Jun 30, 2018 8:22 am
Jul 1, 2018 8:22 am

Please advise