Plaid Springboot webhook listener

Question

I am wondering if anyone knows best practices for handling Plaid webhooks with Java Springboot?

Does the Plaid SDK offer any easy way to convert the webhook request object to a model object for the given event type? I only see they have Node Express examples which seems to only deconstruct the JSON request object by key.

Also wondering if their is anyway to verify the incoming webhook request is actually from Plaid

 @PostMapping(value = "/webhook/plaid", produces = 
 MediaType.APPLICATION_JSON_VALUE)
 public ResponseEntity plaidWebhook(@RequestBody String payload) {
        JSONParser parser = new JSONParser(payload);
        JSONObject plaidWebhookRequest = null;
        try {
            plaidWebhookRequest = (JSONObject) parser.parse();
            String webhookType = plaidWebhookRequest.has("webhook_type") ? (String) plaidWebhookRequest.get("webhook_type") : null;
            String webhookCode = plaidWebhookRequest.has("webhook_code") ? (String) plaidWebhookRequest.get("webhook_code") : null;
            String error = plaidWebhookRequest.has("error") ? (String) plaidWebhookRequest.get("error") : null;
            String itemID = plaidWebhookRequest.has("item_id") ? (String) plaidWebhookRequest.get("item_id") : null;

            if (webhookType != null && webhookCode != null && webhookType.equals(WebhookType.ITEM.name())) {
                switch (webhookCode) {
                    case ERROR_WEBCODE:
                        log.info("Plaid webhook received: " + ERROR_WEBCODE);
                        break;

                    case PENDING_EXPIRATION:
                        log.info("Plaid webhook received: " + PENDING_EXPIRATION);
                        break;

                    case USER_PERMISSION_REVOKED:
                        log.info("Plaid webhook received: " + USER_PERMISSION_REVOKED);
                        break;
                }

            }
        } catch (ParseException e) {
            log.debug("Plaid webhook object failed to convert to JSONObject");
        }
        return ResponseEntity.status(HttpStatus.OK).body("");
    }

Answer 1

I am not a Java expert but I can speak to some of the other parts of your question:

You can use the webhook verification endpoint to verify that the webhook is from Plaid: https://plaid.com/docs/api/webhooks/webhook-verification/ although I will admit the process is not as easy as most of the other things you can do with the Plaid API.

As an alternative option -- for a situation like this, you can always check the Item status by calling /item/get to confirm that the Item needs to be updated before sending the user through update mode. As a rule, Plaid doesn't ever send sensitive information in webhooks, and information in webhooks can be verified by calling endpoints that are free to call, so you should never need to "trust" a Plaid webhook without verifying it if you don't want to. This is generally smart to do anyway, for example: even if you got a webhook indicating that the Item is in an error state, the user may have resolved it or it may have self-healed in the interim.