Occasional 403 Forbidden response from webhook request


I have created a plugin that just adds a rest route as a webhook, so we can create some Mailjet contacts. This is how I create the route:

add_action('rest_api_init', static function () {
    register_rest_route('api/v1', '/webhooks/mailjet', [
        'methods' => 'POST',
        'callback' => 'process_mailjet_webhook',
        'permission_callback' => static function () {
            return true;

There are 2 services that call this endpoint. The first one is the Gravity Forms Webhooks plugin and the second one a ConvertBox. The problem we’re having is that the ConvertBox request ends in a 403 error while the GF Webhooks plugin and a regular command line cURL request work just fine.

These are from our access logs:

[20/May/2020:09:47:32 +0000] "POST /wp-json/api/v1/webhooks/mailjet HTTP/1.1" 403
[20/May/2020:10:07:00 +0000] "POST /wp-json/api/v1/webhooks/mailjet HTTP/2.0" 200
[20/May/2020:10:13:16 +0000] "POST /wp-json/api/v1/webhooks/mailjet HTTP/1.1" 200

I then tracked it down further to $GLOBALS['wp']->query_vars['rest_route'] in the rest_api_loaded function in wp-includes/rest-api.php. That variable is set for the requests with the 200 status code, but obviously not for the 403 one. The only place I could find where that variable is being set is in the rest_api_init function also in wp-includes/rest-api.php. This function is hooked to init, so should always run if I’m not mistaken.

I have already asked for more information about the payload from Convertbox, like headers, etc, but am wondering if anybody here knows what could cause this on the WP side?

Thanks for your help, appreciate it!


Source link