Revoke Developer Token deleted Webhook
One thing we discovered that we cannot get confirmation from Box Support is that if you create a Webhook and revoke a Developer Token for the user that created the webhook, the same ones that expire in 60 minutes, the Webhooks in that app on the Dev Console get deleted.
Even coming back months later and creating then revoking the token will delete the webhook if its the same user that created the Webhook.
Even though it's a security concern I would recommend that you DO NOT REVOKE your developer tokens if you have previously created a Webhook using that same account.
Still waiting on Box Support and have heard nothing back on our ticket on if this is expected behavior or a bug in their API. If it was not a bug I would expect the documentation to have mentioned that somewhere open.
-
Official comment
Hey Brandon,
This page talks about reasons webhooks could be deleted. We currently have a ticket already filed to beef up this page with further information on what causes webhook deletion. I will add the reason you identified to the ticket. I appreciate you bringing this to our attention.
Thanks,
Alex, Box Developer Advocate
Comment actions -
Hi Alex,
Thanks for the web page. It is totally non-intuitive that revoking a developer token would destroy the webhooks in the application. From a security perspective a user would go to the app, create a token, do some work, then revoke the token with no expectation that revoking the token would have negative side effects such as destroying resources.
I would push for having that behavior fixed as a bug, or a notice in the Dev Console articulating this side effect. It caught us by surprise because all we were doing was using the token to find details out about the webhook under that application. If we hadn't recorded the endpoint it was calling our automation would be completely destroyed due to this bug and our vendor not providing us the details we were trying to discover.
Please sign in to leave a comment.
Comments
3 comments