HTTP Basic Authentication in PayPal Webhook URLs

Question

(Added: For this question, assume operations on the PayPal API are working and authenticated.)

Do PayPal Webhooks support URLs with HTTP Basic authentication credentials, so the following would create a valid webhook that used the given credentials foo:secret?

webhook_attrs = {
  # NOTE the URL has HTTP Basic credentials of
  # user is 'foo' and password is 'secret':
  url: 'https://foo:[email protected]/paypal_events',
  event_types: [
      { name: 'PAYMENT.AUTHORIZATION.CREATED' },
      { name: 'PAYMENT.AUTHORIZATION.VOIDED' }
  ]
}
webhook = PayPal::SDK::REST::Webhook.new(webhook_attrs)
if webhook.create && webhook.error.nil?
  p "Created webhook:", webhook
else
  p "Failed to create webhook:", webhook.error, webhook
end

Answer 1

PayPal Webhooks do not support HTTP Basic authentication (at time of writing).

Trying to create a Webhook with a URL including HTTP Basic credentials will fail with the following error:

{
  "name" => "VALIDATION_ERROR",
  "details" => [ { "field" => "url", "issue" => "Not a valid webhook URL" } ], 
  "message" => "Invalid data provided",
  "information_link" => "https://developer.paypal.com/docs/api/webhooks/#errors"
}

For developers hoping to do this, a couple of suggestions:

1. Ask PayPal to support this (may be worth mentioning Stripe Webhooks support HTTP Basic Authentication)
2. As a workaround, consider including a long, random secret token in the URL query string instead as an authentication check. For this to be worthwhile the URL must be HTTPS. Beware timing and length attacks in the code that checks the token, a simple == equality check is vulnerable to timing attacks. See https://github.com/rails/rails/blob/d66e7835bea9505f7003e5038aa19b6ea95ceea1/activesupport/lib/active_support/security_utils.rb#L22 for more on timing and length attacks.