# OpenAPI Webhooks

There are cases where you want to tell your API **users** that your app could call *their* app (sending a request) with some data, normally to **notify** of some type of **event**.

This means that instead of the normal process of your users sending requests to your API, it's **your API** (or your app) that could **send requests to their system** (to their API, their app).

This is normally called a **webhook**.

## Webhooks steps

#### The time to answer helps the attackers

At that point, by noticing that the server took some microseconds longer to send the "Incorrect username or password" response, the attackers will know that they got _something_ right, some of the initial letters were right.

    with pytest.raises(WebSocketDisconnect):
        with client.websocket_connect("/items/bar/ws?token=some-token") as websocket:
            message = "Message one"
            websocket.send_text(message)
            data = websocket.receive_text()
            assert data == "Session cookie or query token value is: some-token"
            data = websocket.receive_text()

    with pytest.raises(WebSocketDisconnect):
        with client.websocket_connect("/items/bar/ws?token=some-token") as websocket:
            message = "Message one"
            websocket.send_text(message)
            data = websocket.receive_text()
            assert data == "Session cookie or query token value is: some-token"
            data = websocket.receive_text()

                    public Source(@Nullable String some) {}
                    @Nullable public String nonFinalField = null;
                    public String foo(@Nullable String bar) { return "some"; }
                }
            """,
            v2 = """
                public class Source {
                    public Source(String some) {}
                    public String nonFinalField = "some";

* Each application that you have running on your computer has some process behind it, each running program, each window, etc. And there are normally many processes running **at the same time** while a computer is on.
* There can be **multiple processes** of the **same program** running at the same time.

                fun Int.invoke(some: Int) {}
                operator fun Boolean.invoke(some: Int) {}

                fun String.invoke(some: Int) {}
                operator fun Long.invoke(some: Int) {}

                fun Float.invoke(some: Int) {}
                infix fun Byte.invoke(some: Int) {}

                interface Source {
                    infix fun String.plus(some: List<Int>): String

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  short readShort();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  int readUnsignedShort();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  char readChar();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  int readInt();

  @CanIgnoreReturnValue // to skip some bytes
  @Override
  long readLong();

        new File("/home/build/x/y/z.jar").toURI(),
        ClassPath.getClassPathEntry(new File("/home/build/outer.jar"), "x/y/z.jar").toURI());
    assertEquals(
        "/home/build/x y.jar",
        ClassPath.getClassPathEntry(new File("/home/build/outer.jar"), "x y.jar").getFile());
  }

  public void testGetClassPathFromManifest_nullManifest() {
    assertThat(ClassPath.getClassPathFromManifest(new File("some.jar"), null)).isEmpty();
  }

    * A "token" is just a string with some content that we can use later to verify this user.
    * Normally, a token is set to expire after some time.
        * So, the user will have to log in again at some point later.
        * And if the token is stolen, the risk is less. It is not like a permanent key that will work forever (in most of the cases).