| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Odoo Apps Dependencies |
Discuss (mail)
|
| Community Apps Dependencies | Show |
| Lines of code | 4344 |
| Technical Name |
eh_hero_webhook |
| License | OPL-1 |
| Website | https://www.erpheritage.com.au/ |
| Versions | 16.0 17.0 18.0 19.0 |
Employment Hero Webhook Receiver
Turn signed Employment Hero events into safe, out of band sync work the moment they arrive.
Store price is USD 132 all-in: installing this also pulls the 3 paid ERP Heritage modules it depends on.
Why this module
Employment Hero Webhook Receiver
Every event is signed and checked first
Each delivery is verified against the connection secret with a constant time HMAC SHA-256 comparison before anything is written. A bad signature returns 401 and creates no row, so the public endpoint cannot be used to forge events or flood the table.
A replayed delivery changes nothing twice
Events are keyed by connection and external event id, enforced by a database unique constraint and a savepoint guard. A duplicate, including a concurrent race, is answered with a clean acknowledgement and never processed a second time.
Slow syncs never block delivery
A verified event is parked on the asynchronous queue and dispatched by the drain, so the HTTP endpoint returns in milliseconds. Failures retry with backoff and dead-letter through the queue, and a dead-lettered delivery raises an alert on the connection.
Day in the life
An employee record changes upstream
Employment Hero POSTs the change to the connection webhook URL. The receiver verifies the HMAC signature, checks it is not a replay, records the event, and queues it. The drain matches the event type to your subscription and runs the bound sync job out of band. With per entity targeting set, it fetches only that one employee by id, applies the timestamp stale-overwrite guard, and the record in Odoo is updated moments after it changed upstream, with no polling loop in between.
Edge cases
The cases most modules quietly ignore.
In the shipped code today, each one a place where a cheaper module silently does the wrong thing.
A duplicate delivery, even one racing a concurrent copy, is caught by the unique constraint and savepoint and acknowledged idempotently rather than processed or raising a 500.
An unsigned or wrongly signed POST is rejected with 401 before any write, logged, and never creates a row, so the public endpoint cannot be flooded or forged.
When the connection declares the entity path, deliveries for one record are queued on a per entity ordered channel and processed strictly in arrival order, never concurrently.
A subscription requires its job to track a source timestamp, so an older webhook arriving after a newer one cannot overwrite the fresher record.
With an entity id path set, a failed dispatch re-fetches only the single changed record by id on retry, never re-paginating the whole list endpoint.
A configured delete event type, or a 404 on the targeted fetch, archives or unlinks the linked Odoo record and severs the external link cleanly, with no poison retry.
A verified event that matches no subscription is marked processed but logged as a warning, so a missing route is visible instead of silently swallowed.
A dispatch that fails every retry dead-letters through the queue and posts a chatter message plus a To Do activity on the connection so an administrator can act.
A payload over the one megabyte cap is refused with 413 before it is read or hashed, so a hostile sender cannot make the worker buffer an unbounded body.
A POST to a path token that matches no connection returns 404 without touching the database.
What is inside
Built to do the job, end to end.
- Signed inbound endpoint. A public POST route per connection, identified by a random path token, with constant time HMAC SHA-256 verification, a one megabyte body cap, and a handler that always returns a clean response instead of leaking a traceback.
- Recorded event log. Every delivery is stored with its connection, event type, external id, signature result and raw JSON payload, giving a full audit trail. A unique constraint on connection and external id provides replay protection at the database level.
- Subscriptions. Bind an event type to a sync job, scoped to one connection or left global. Optional entity id path enables single record targeting, and delete event types route upstream deletions to archive or unlink the linked record.
- Queue backed dispatch. Verified events are enqueued and dispatched by the drain, with optional per entity ordered channels, retry with backoff and dead-letter handled by the suite job queue, plus a dead-letter alert on the connection.
- Encrypted secret. The webhook secret is encrypted at rest and gated to system administrators, with a shipped migration that encrypts any legacy plaintext column and drops it, so a database dump never exposes a secret that could forge signed events.
- Generated configuration. A single action generates the path token and a secret if missing and exposes the ready to use webhook URL, so connecting Employment Hero is a copy and paste, not a manual credential dance.
Honest about the edges
What this does not do, so nothing surprises you.
- Direction is inbound only, Employment Hero to Odoo. This module receives and routes events, it does not push Odoo changes back out.
- It does not pull or transform data itself. Dispatch runs the sync jobs and mappings defined in the synchronisation engine module it depends on.
- Retry with exponential backoff and the dead-letter state are provided by the suite job queue module, which is a dependency, not by this module alone.
- There is no conflict resolution beyond the timestamp based stale-overwrite guard, which requires each subscribed job to declare a source updated-at path.
- Signature verification expects a hex HMAC SHA-256 digest of the raw body, keyed by the per connection secret. Other signing schemes are not supported.
- It requires the Employment Hero platform to support outbound webhooks for the events you want and to send them to the generated URL.
- A public web base URL reachable by Employment Hero is required for deliveries to arrive.
Employment Hero webhook Odoo, Odoo 16 Employment Hero integration, HMAC webhook signature verification Odoo, inbound webhook receiver Odoo, idempotent webhook replay protection, real time HR sync Odoo, Employment Hero events Odoo, queue backed webhook dispatch, Odoo HR webhook integration, secure webhook endpoint Odoo
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module