Webhook response with PDF

jppalha · November 27, 2024, 10:21am

Hi,
It’s my first question in the community of the fantastic OttoFMS tool.

I want to use OttoFMS Webhook from a QRcode and return a PDF from a FM database.
Is it possible?

in the doc we have this:

{
“useScriptResult”: true,
“status”: 200,
“statusMessage”: “OK”,
“headers”: { “Content-Type”: “application/json” },
“body”: “{}”
}

But changing the content-type to application/pdf do not work…

Thanks for your help.

toddgeist · November 27, 2024, 1:19pm

Welcome to the community. We are glad you are here.

What sort of application is reading the QR Code?

Are you hoping that aiming your phone camera at the QR will trigger the download of the PDF? If so the answer is no, that won’t work. The camera is going to just open the URL in a browser with GET request. Webhooks use POST Requests.

Also the webhook response will not be able to handle a binary file like a PDF.

Let me know if I have understood you correctly.

Thanks

Todd

jppalha · November 27, 2024, 1:45pm

Hi Todd,

Yes, that’s what I want to do, and I suspected that the solution would not be that simple.

I solved the problem with a webhook like https://my_FMS/otto/receiver/My_DB.fmp12/my_Channel?apiKey=dk_XXXXXXX&param=my_UUID and by returning HTML code containing an iframe with as source a link to the PDF previously placed in a subfolder of the FileMaker Documents folder.
This subfolder being declared as the source of a virtual directory of the website on the server.

Thank you very much for your feedback and congratulations again for the quality of your tools.

eric.luce · November 27, 2024, 4:55pm

This is a very clever use of webhooks, but I should caution you that this is not very secure. Data API keys give access to the FileMaker Data API for the account which they were created. But default they are included in the URL since this is simpler for integration and most 3rd party services don’t let you set custom headers when defining a webhook, but they since the API keys are long-lived tokens with access to the data from your database, they are usually not meant to be given directly to users.

If you are using the webhook URL directly for your QR code, this means the API key is exposed to any user who can scan that QR code. If you must use this method, please at least make sure that the API key is created for a FM account with extremely limited access to your file, or that you are creating a user-specific API key for each individual user that needs a QR code.

jppalha · November 27, 2024, 5:09pm

Hi Eric,

Thanks for the warnings, I always use a very limited specific dapi account and the QR code is only accessible via a secure third-party interface.