From 75196cbf84f340e8d8a81b9c9bcd6a9850a9f988 Mon Sep 17 00:00:00 2001 From: Faruk AYDIN Date: Wed, 7 Dec 2022 13:09:04 +0100 Subject: [PATCH] feat: Introduce webhook secret key to verify webhook requests --- docker-compose.yml | 2 + docker/compose-entrypoint.sh | 2 + packages/backend/.env-example | 1 + .../src/apps/typeform/auth/verify-webhook.ts | 2 +- packages/backend/src/config/app.ts | 9 +++- packages/docs/pages/advanced/configuration.md | 47 ++++++++++--------- packages/docs/pages/advanced/credentials.md | 2 +- packages/docs/pages/guide/installation.md | 4 +- 8 files changed, 41 insertions(+), 28 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index fbbb0a1b..c6fb050c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -23,6 +23,7 @@ services: - POSTGRES_USERNAME=automatisch_user - POSTGRES_PASSWORD=automatisch_password - ENCRYPTION_KEY + - WEBHOOK_SECRET_KEY - APP_SECRET_KEY volumes: - automatisch_storage:/automatisch/storage @@ -41,6 +42,7 @@ services: - POSTGRES_USERNAME=automatisch_user - POSTGRES_PASSWORD=automatisch_password - ENCRYPTION_KEY + - WEBHOOK_SECRET_KEY - APP_SECRET_KEY - WORKER=true volumes: diff --git a/docker/compose-entrypoint.sh b/docker/compose-entrypoint.sh index 3a5448c6..60e59f8c 100755 --- a/docker/compose-entrypoint.sh +++ b/docker/compose-entrypoint.sh @@ -5,8 +5,10 @@ set -e if [ ! -f /automatisch/storage/.env ]; then >&2 echo "Saving environment variables" ENCRYPTION_KEY="${ENCRYPTION_KEY:-$(openssl rand -base64 36)}" + WEBHOOK_SECRET_KEY="${WEBHOOK_SECRET_KEY:-$(openssl rand -base64 36)}" APP_SECRET_KEY="${APP_SECRET_KEY:-$(openssl rand -base64 36)}" echo "ENCRYPTION_KEY=$ENCRYPTION_KEY" >> /automatisch/storage/.env + echo "WEBHOOK_SECRET_KEY=$WEBHOOK_SECRET_KEY" >> /automatisch/storage/.env echo "APP_SECRET_KEY=$APP_SECRET_KEY" >> /automatisch/storage/.env fi diff --git a/packages/backend/.env-example b/packages/backend/.env-example index 924bd16c..27ee434e 100644 --- a/packages/backend/.env-example +++ b/packages/backend/.env-example @@ -11,6 +11,7 @@ POSTGRES_USERNAME=automatish_development_user POSTGRES_PASSWORD= POSTGRES_ENABLE_SSL=false ENCRYPTION_KEY=sample-encryption-key +WEBHOOK_SECRET_KEY=sample-webhook-key APP_SECRET_KEY=sample-app-secret-key REDIS_PORT=6379 REDIS_HOST=127.0.0.1 diff --git a/packages/backend/src/apps/typeform/auth/verify-webhook.ts b/packages/backend/src/apps/typeform/auth/verify-webhook.ts index f5ba0d46..19dd8806 100644 --- a/packages/backend/src/apps/typeform/auth/verify-webhook.ts +++ b/packages/backend/src/apps/typeform/auth/verify-webhook.ts @@ -11,7 +11,7 @@ const verifyWebhook = async ($: IGlobalVariable) => { const verifySignature = function (receivedSignature: string, payload: string) { const hash = crypto - .createHmac('sha256', appConfig.appSecretKey) + .createHmac('sha256', appConfig.webhookSecretKey) .update(payload) .digest('base64'); return receivedSignature === `sha256=${hash}`; diff --git a/packages/backend/src/config/app.ts b/packages/backend/src/config/app.ts index 7403421e..6f81c2ed 100644 --- a/packages/backend/src/config/app.ts +++ b/packages/backend/src/config/app.ts @@ -18,6 +18,7 @@ type AppConfig = { postgresEnableSsl: boolean; baseUrl: string; encryptionKey: string; + webhookSecretKey: string; appSecretKey: string; serveWebAppSeparately: boolean; redisHost: string; @@ -63,6 +64,7 @@ const appConfig: AppConfig = { postgresPassword: process.env.POSTGRES_PASSWORD, postgresEnableSsl: process.env.POSTGRES_ENABLE_SSL === 'true', encryptionKey: process.env.ENCRYPTION_KEY || '', + webhookSecretKey: process.env.WEBHOOK_SECRET_KEY || '', appSecretKey: process.env.APP_SECRET_KEY || '', serveWebAppSeparately, redisHost: process.env.REDIS_HOST || '127.0.0.1', @@ -70,8 +72,7 @@ const appConfig: AppConfig = { redisUsername: process.env.REDIS_USERNAME, redisPassword: process.env.REDIS_PASSWORD, redisTls: process.env.REDIS_TLS === 'true', - enableBullMQDashboard: - process.env.ENABLE_BULLMQ_DASHBOARD === 'true', + enableBullMQDashboard: process.env.ENABLE_BULLMQ_DASHBOARD === 'true', bullMQDashboardUsername: process.env.BULLMQ_DASHBOARD_USERNAME, bullMQDashboardPassword: process.env.BULLMQ_DASHBOARD_PASSWORD, baseUrl, @@ -84,4 +85,8 @@ if (!appConfig.encryptionKey) { throw new Error('ENCRYPTION_KEY environment variable needs to be set!'); } +if (!appConfig.webhookSecretKey) { + throw new Error('WEBHOOK_SECRET_KEY environment variable needs to be set!'); +} + export default appConfig; diff --git a/packages/docs/pages/advanced/configuration.md b/packages/docs/pages/advanced/configuration.md index 88d90ba1..cfcb25cd 100644 --- a/packages/docs/pages/advanced/configuration.md +++ b/packages/docs/pages/advanced/configuration.md @@ -11,28 +11,29 @@ The default values for some environment variables might be different in our deve ::: :::danger -Please be careful with the `ENCRYPTION_KEY` environment variable. It is used to encrypt your credentials from third-party services. If you change it, you will not be able to access your connections and thus, your existing flows and connections will be useless. +Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work. ::: -| Variable Name | Type | Default Value | Description | -| --------------------------- | ------- | ------------------ | ----------------------------------- | -| `HOST` | string | `localhost` | HTTP Host | -| `PROTOCOL` | string | `http` | HTTP Protocol | -| `PORT` | string | `3000` | HTTP Port | -| `APP_ENV` | string | `production` | Automatisch Environment | -| `POSTGRES_DATABASE` | string | `automatisch` | Database Name | -| `POSTGRES_PORT` | number | `5432` | Database Port | -| `POSTGRES_HOST` | string | `postgres` | Database Host | -| `POSTGRES_USERNAME` | string | `automatisch_user` | Database User | -| `POSTGRES_PASSWORD` | string | | Password of Database User | -| `ENCRYPTION_KEY` | string | | Encryption Key to store credentials | -| `APP_SECRET_KEY` | string | | Secret Key to authenticate the user | -| `REDIS_HOST` | string | `redis` | Redis Host | -| `REDIS_PORT` | number | `6379` | Redis Port | -| `REDIS_USERNAME` | string | `` | Redis Username | -| `REDIS_PASSWORD` | string | `` | Redis Password | -| `REDIS_TLS` | boolean | `false` | Redis TLS | -| `TELEMETRY_ENABLED` | boolean | `true` | Enable/Disable Telemetry | -| `ENABLE_BULLMQ_DASHBOARD` | boolean | `false` | Enable BullMQ Dashboard | -| `BULLMQ_DASHBOARD_USERNAME` | string | | Username to login BullMQ Dashboard | -| `BULLMQ_DASHBOARD_PASSWORD` | string | | Password to login BullMQ Dashboard | +| Variable Name | Type | Default Value | Description | +| --------------------------- | ------- | ------------------ | --------------------------------------------- | +| `HOST` | string | `localhost` | HTTP Host | +| `PROTOCOL` | string | `http` | HTTP Protocol | +| `PORT` | string | `3000` | HTTP Port | +| `APP_ENV` | string | `production` | Automatisch Environment | +| `POSTGRES_DATABASE` | string | `automatisch` | Database Name | +| `POSTGRES_PORT` | number | `5432` | Database Port | +| `POSTGRES_HOST` | string | `postgres` | Database Host | +| `POSTGRES_USERNAME` | string | `automatisch_user` | Database User | +| `POSTGRES_PASSWORD` | string | | Password of Database User | +| `ENCRYPTION_KEY` | string | | Encryption Key to store credentials | +| `WEBHOOK_SECRET_KEY` | string | | Webhook Secret Key to verify webhook requests | +| `APP_SECRET_KEY` | string | | Secret Key to authenticate the user | +| `REDIS_HOST` | string | `redis` | Redis Host | +| `REDIS_PORT` | number | `6379` | Redis Port | +| `REDIS_USERNAME` | string | `` | Redis Username | +| `REDIS_PASSWORD` | string | `` | Redis Password | +| `REDIS_TLS` | boolean | `false` | Redis TLS | +| `TELEMETRY_ENABLED` | boolean | `true` | Enable/Disable Telemetry | +| `ENABLE_BULLMQ_DASHBOARD` | boolean | `false` | Enable BullMQ Dashboard | +| `BULLMQ_DASHBOARD_USERNAME` | string | | Username to login BullMQ Dashboard | +| `BULLMQ_DASHBOARD_PASSWORD` | string | | Password to login BullMQ Dashboard | diff --git a/packages/docs/pages/advanced/credentials.md b/packages/docs/pages/advanced/credentials.md index f1223acc..e30a88a3 100644 --- a/packages/docs/pages/advanced/credentials.md +++ b/packages/docs/pages/advanced/credentials.md @@ -5,5 +5,5 @@ We need to store your credentials in order to automatically communicate with thi Automatisch uses AES specification to encrypt and decrypt your credentials of third-party services. The Advanced Encryption Standard (AES) is a U.S. Federal Information Processing Standard (FIPS). It was selected after a 5-year process where 15 competing designs were evaluated. AES is now used worldwide to protect sensitive information. :::danger -Please be careful with the `ENCRYPTION_KEY` environment variable. It is used to encrypt your credentials from third-party services. If you change it, you will not be able to access your connections and thus, your existing flows and connections will be useless. +Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work. ::: diff --git a/packages/docs/pages/guide/installation.md b/packages/docs/pages/guide/installation.md index 8dca2d25..fb88f0bb 100644 --- a/packages/docs/pages/guide/installation.md +++ b/packages/docs/pages/guide/installation.md @@ -7,7 +7,7 @@ You can use `user@automatisch.io` email address and `sample` password to login t ::: :::danger -Please be careful with the `ENCRYPTION_KEY` and `APP_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services. If you change them, you will not be able to access your connections and thus, your existing flows and connections will be useless. +Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work. ::: ## Docker Compose @@ -47,6 +47,7 @@ HOST= PROTOCOL= PORT= ENCRYPTION_KEY= +WEBHOOK_SECRET_KEY= APP_SECRET_KEY= POSTGRES_HOST= POSTGRES_PORT= @@ -78,6 +79,7 @@ HOST= PROTOCOL= PORT= ENCRYPTION_KEY= +WEBHOOK_SECRET_KEY= APP_SECRET_KEY= POSTGRES_HOST= POSTGRES_PORT=