zokier

Very timely as I have just recently happened to be involved in building a webhook system. Some observations:

1) For something specifically advertised "cloud-native" I would have hoped to see direct integration to e.g. EventBridge/SNS/SQS (or their GCP/Azure equivalents) instead of plain REST API.

2) It is bit weird that you need both Redis and MongoDB here. Is there particular reason why redis alone would not be sufficient?

3) I couldn't at a glance find any docs on the API for receiving the webhooks beyond that small ruby example snippet.

4) You clearly are aware of the security things Stripe has done with their webhook implementation, so it is surprising that you have fair bit simpler model from the looks of it

Some specific security aspects that I noted:

a) Not having some sort of keyids or multiple signatures makes key rotation probably annoying

b) Keys are application-wide instead of per-endpoint

c) Only shared-secret available, no public/private keypair option?

d) No timestamping for replay protection?

Not trying to be too negative about your solution, but its just that I have been thinking exactly these problems myself then they are kinda on top of my head.

There is a draft IETF specification for request signing, that seems relevant here. Maybe you could adopt it in Convoy too? https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-...

subomi

Thanks for this well detailed feedback.

1) Yes, it's on our roadmap.

2) It was/is a design choice, we aren't so familiar with using redis as a persistence store. The goal was to enabled people switch backends depending on what they're comfortable with.

3) Thanks for bringing this up, there are a ton of things we should document.

4) We're working on improving things from a security perspective.

On application-wide keys, we're considering making this configurable, so you can choose what works best for you, we only started with app-wide keys, next is endpoint-keys. :)

On public/private keypair, this is new to me as well! we haven't found anyone doing this in prod. But yes, I can see how this can be useful in specific environments, definitely something we'd like to support.

nicoburns

We’re not currently providing we hooks, but I can see a using something like this if we need to at some point.

I’d definitely appreciate a Postgres options for the queue backend. We currently have an “everything in Postgres” approach for operational simplicity. It works great, and it would fantastic if we could slot this in there too.

subomi

Hmm. To clarify, do you mean Postgres as a queueing backend or storage backend?

We have it planned for a storage backend but not for queueing at the moment.

nicoburns
Both! For context, we're currently using https://github.com/timgit/pg-boss as a task queue on top of postgres and it works great. No need to complicate things with Redis. I believe it's quite straightforward to implement a task queue on top of postgres using the SKIP LOCKED functionality.