POST /webhooks/scorm-session
POST /webhooks/scorm-session
Disable body parsing - webhook needs raw body for signature verification Webhook payload validation schema Optional: activity_id if SCORM API knows which LMS activity this belongs to Webhook secret for verification (should match SCORM API webhook secret) In development, allow skipping verification if secret not configured In production, require secret Validate signature format (should be hex string) HMAC-SHA256 produces 32 bytes = 64 hex characters Compute expected signature using HMAC-SHA256 SCORM API uses hex-encoded signatures Constant-time comparison to prevent timing attacks Convert hex strings to buffers for comparison Ensure buffers are same length (timingSafeEqual requires this) HMAC-SHA256 produces 32 bytes = 64 hex characters POST /api/webhooks/scorm-session Verify webhook signature if provided Parse and validate payload Only process completion and significant update events If activity_id is provided, sync directly via internal request Call the sync endpoint with internal request header The sync endpoint will validate the session belongs to the user from session.user_id Signals this is an internal request from webhook If activity_id not provided, try to find it from scorm_activity_sessions mapping table (This would require the optional mapping table from task 6) For now, log and return success (polling will handle it)
Endpoint
POST /webhooks/scorm-session
Error Responses
| Status Code | Error Code | Description |
|---|---|---|
| 401 | HTTP_401 | Unauthorized |
| 400 | HTTP_400 | Bad Request |
| 500 | HTTP_500 | Internal Server Error |
| 500 | HTTP_500 | Internal Server Error |
Example Request
curl -X POST "https://api.allurelms.com/webhooks/scorm-session" \
-H "Content-Type: application/json" \
-d '{}'