Webhooks

Guide on how to implement Lasso webhooks for real-time updates

Webhooks allow you to receive real-time notifications about actions taken on the Lasso Moderation platform. By configuring a webhook URL, Lasso Moderation can automatically send a JSON payload to your server whenever a particular event occurs on the platform. Webhooks can be configured under settings in the dashboard.

Webhook

To set up a webhook, you need to provide a valid URL that can receive HTTPS POST requests. When an event is triggered on the platform, Lasso Moderation will send a JSON payload to the specified URL. This payload contains information about the event that occurred, including any relevant data that you may need to take action.

Multiple actions can be sent at once in one HTTP POST request, this is done in case of bulk operation where multiple actions are taken at once.

Here's an example response from a webhook that is triggered when a user flags a piece of content:

Webhook payload
{
  "actions": [
    {
      "action_type": "ChangeStatus", // The type of the action, this can be e.g. "ChangeStatus", "StrikeUser", "UpdateList" etc.
      "action_id": "clf10kbhp0012sauvpxlqsb6h", // The Lasso ID of the action
      "actor_id": "cldk3z9ze0004saiy542wfbck", // The Lasso ID of the actor who triggered this action. This can be a moderator or a rule.
      "type": "user", // The type of object the action is taken on, "user", "content" or "subcategory"
      "status": "hidden", // The status of the object, this can be "allowed", "flagged" or "hidden"
      "previous_status": "flagged", // The status of the object before the action was taken, this can be "allowed", "flagged" or "hidden"
      // (optional) user is only sent when type === "user"
      "user": {
        "id": "cldk3z9ze0004saiy542wfbck", // The product's ID of the user
        "tags": ["potential-spammer"] // Custom tags attached to the user
      },      
      // (optional) content is only sent when type === "content"
      "content": {
        "id": "cldk3zadj019wsaiyudwdtxtr", // The ID of the content
        "created_at": "2023-03-11T15:02:13.178Z", // ISO date of when the content was created
        "user_id": "cldk3z9ze0004saiy542wfbck", // The ID of the user who sent the content
        "subcategory_id": "cldvl1z2l002xsaykyoje94od", // The ID of the subcategory the content is part of
        "category_id": "cldq51mh005fjsaw2y0fx3t5c" // The ID of the category the content is part of
        "tags": ["explicit-content"] // Custom tags attached to the content
      },      
      // (optional) subcategory is only sent when type === "subcategory"
      "subcategory": {
        "id": "cldvl1z2l002xsaykyoje94od" // The product's ID of the subcategory
      },
      // (optional) when the user is temporarily banned
      "temporary_ban": {
        "until": "2023-12-18T17:42:38.558Z",
        "period": "week",
        "duration": 1
      },      
      "policy_id": "inappropriate-content", // (optional) The ID of the policy that was used when taking this action
      "policy_name": "Inappropriate Content", // (optional) The name of the policy that was used when taking this action
      "policy_information": "This content contains XXX" // (optional) Extra information that was given when the action was taken
    }
  ]
}

Response

The webhook does not expect a certain response, except for a valid 200 status code when action is handled by your product.

When the product does not respond a 200 status after all retries the action(s) will be automatically reverted in Lasso.

Invalid actions

In case there is an invalid action taken (e.g. when an action leads to an error), you can revert the action(s). This will make sure the status of the object remains in sync between the product and Lasso. You can revert actions by returning a list of action ids.

Webhook response
{
   revert: ["action_id_1","action_id_2"]
}

Retries

In case the webhook fails and receives an error code (3XX, 4XX, 5XX), it will automatically be retried with exponential backoff. Lasso will try to deliver the webhook at most 5 times over the course of a minute.

When Lasso Moderation sends a webhook to your server, it includes a digital signature that you can use to ensure that the payload has not been tampered with.

To verify the signature, you need to compute a hash of the payload using a secret key that you share with Lasso Moderation. The secret key can be found under settings in the Lasso Moderation dashboard. The hash should be computed using the SHA-256 hashing algorithm.

Once you have computed the hash, you can compare it to the signature included in the X-Lasso-Signature header of the webhook request. If the two values match, you can be confident that the payload has not been modified in transit.

Here are some examples of how you might verify the signature of a webhook payload:

Javascript

import * as crypto from "crypto";

function verifySignature(
  payload, // body of the request
  signature, // X-Lasso-Signature from the header
): boolean {
  const secret = process.env.LASSO_WEBHOOK_SECRET // You need to set this environment variable.
  const hmac = crypto.createHmac("sha256", secret);
  const hash = hmac.update(payload).digest("base64");
  const expectedSignature = `sha256=${hash}`;
  return expectedSignature === signature;
}

Python

import hmac
import hashlib
import base64

def verify_signature(payload: str, signature: str) -> bool:
    """
    Verifies the signature of a webhook request payload.

    Args:
        payload (str): The request payload as a string.
        signature (str): The X-Lasso-Signature header value as a string.

    Returns:
        bool: True if the signature is valid, False otherwise.
    """
    # You need to set this environment variable.
    secret = os.environ['LASSO_WEBHOOK_SECRET'] 
    
    # Compute the HMAC digest of the payload using the secret and SHA256 algorithm
    hmac_digest = hmac.new(secret.encode('utf-8'), payload.encode('utf-8'), hashlib.sha256).digest()

    # Encode the HMAC digest using base64
    expected_signature = f'sha256={base64.b64encode(hmac_digest).decode("utf-8")}'

    # Compare the computed signature with the signature received in the header
    return expected_signature == signature

PHP

function verify_signature($payload, $signature) {
  /**
   * Verifies the signature of a webhook request payload.
   *
   * @param string $payload The request payload as a string.
   * @param string $signature The X-Lasso-Signature header value as a string.
   *
   * @return bool True if the signature is valid, False otherwise.
   */
  // You need to set this environment variable.
  $secret = getenv('LASSO_WEBHOOK_SECRET');
  
  // Compute the HMAC digest of the payload using the secret and SHA256 algorithm
  $hmac_digest = hash_hmac('sha256', $payload, $secret, true);

  // Encode the HMAC digest using base64
  $expected_signature = 'sha256=' . base64_encode($hmac_digest);

  // Compare the computed signature with the signature received in the header
  return $expected_signature === $signature;
}

Other languages

Please reach out to info@lassomoderation.com in case you would like a code example in a different language.

Last updated