groot/automatisch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Introduce webhook secret key to verify webhook requests

Browse Source
This commit is contained in:
Faruk AYDIN
2022-12-07 13:09:04 +01:00
parent 5d80fd523c
commit 75196cbf84
8 changed files with 41 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker-compose.yml
View File

@@ -23,6 +23,7 @@ services:
- POSTGRES_USERNAME=automatisch_user - POSTGRES_USERNAME=automatisch_user
- POSTGRES_PASSWORD=automatisch_password - POSTGRES_PASSWORD=automatisch_password
- ENCRYPTION_KEY - ENCRYPTION_KEY
- WEBHOOK_SECRET_KEY
- APP_SECRET_KEY - APP_SECRET_KEY
volumes: volumes:
- automatisch_storage:/automatisch/storage - automatisch_storage:/automatisch/storage
@@ -41,6 +42,7 @@ services:
- POSTGRES_USERNAME=automatisch_user - POSTGRES_USERNAME=automatisch_user
- POSTGRES_PASSWORD=automatisch_password - POSTGRES_PASSWORD=automatisch_password
- ENCRYPTION_KEY - ENCRYPTION_KEY
- WEBHOOK_SECRET_KEY
- APP_SECRET_KEY - APP_SECRET_KEY
- WORKER=true - WORKER=true
volumes: volumes:

2
docker/compose-entrypoint.sh
View File

@@ -5,8 +5,10 @@ set -e
if [ ! -f /automatisch/storage/.env ]; then if [ ! -f /automatisch/storage/.env ]; then
>&2 echo "Saving environment variables" >&2 echo "Saving environment variables"
ENCRYPTION_KEY="${ENCRYPTION_KEY:-$(openssl rand -base64 36)}" ENCRYPTION_KEY="${ENCRYPTION_KEY:-$(openssl rand -base64 36)}"
WEBHOOK_SECRET_KEY="${WEBHOOK_SECRET_KEY:-$(openssl rand -base64 36)}"
APP_SECRET_KEY="${APP_SECRET_KEY:-$(openssl rand -base64 36)}" APP_SECRET_KEY="${APP_SECRET_KEY:-$(openssl rand -base64 36)}"
echo "ENCRYPTION_KEY=$ENCRYPTION_KEY" >> /automatisch/storage/.env echo "ENCRYPTION_KEY=$ENCRYPTION_KEY" >> /automatisch/storage/.env
echo "WEBHOOK_SECRET_KEY=$WEBHOOK_SECRET_KEY" >> /automatisch/storage/.env
echo "APP_SECRET_KEY=$APP_SECRET_KEY" >> /automatisch/storage/.env echo "APP_SECRET_KEY=$APP_SECRET_KEY" >> /automatisch/storage/.env
fi fi

1
packages/backend/.env-example
View File

@@ -11,6 +11,7 @@ POSTGRES_USERNAME=automatish_development_user
POSTGRES_PASSWORD= POSTGRES_PASSWORD=
POSTGRES_ENABLE_SSL=false POSTGRES_ENABLE_SSL=false
ENCRYPTION_KEY=sample-encryption-key ENCRYPTION_KEY=sample-encryption-key
WEBHOOK_SECRET_KEY=sample-webhook-key
APP_SECRET_KEY=sample-app-secret-key APP_SECRET_KEY=sample-app-secret-key
REDIS_PORT=6379 REDIS_PORT=6379
REDIS_HOST=127.0.0.1 REDIS_HOST=127.0.0.1

2
packages/backend/src/apps/typeform/auth/verify-webhook.ts
View File

@@ -11,7 +11,7 @@ const verifyWebhook = async ($: IGlobalVariable) => {
const verifySignature = function (receivedSignature: string, payload: string) { const verifySignature = function (receivedSignature: string, payload: string) {
const hash = crypto const hash = crypto
.createHmac('sha256', appConfig.appSecretKey) .createHmac('sha256', appConfig.webhookSecretKey)
.update(payload) .update(payload)
.digest('base64'); .digest('base64');
return receivedSignature === `sha256=${hash}`; return receivedSignature === `sha256=${hash}`;

9
packages/backend/src/config/app.ts
View File

@@ -18,6 +18,7 @@ type AppConfig = {
postgresEnableSsl: boolean; postgresEnableSsl: boolean;
baseUrl: string; baseUrl: string;
encryptionKey: string; encryptionKey: string;
webhookSecretKey: string;
appSecretKey: string; appSecretKey: string;
serveWebAppSeparately: boolean; serveWebAppSeparately: boolean;
redisHost: string; redisHost: string;
@@ -63,6 +64,7 @@ const appConfig: AppConfig = {
postgresPassword: process.env.POSTGRES_PASSWORD, postgresPassword: process.env.POSTGRES_PASSWORD,
postgresEnableSsl: process.env.POSTGRES_ENABLE_SSL === 'true', postgresEnableSsl: process.env.POSTGRES_ENABLE_SSL === 'true',
encryptionKey: process.env.ENCRYPTION_KEY || '', encryptionKey: process.env.ENCRYPTION_KEY || '',
webhookSecretKey: process.env.WEBHOOK_SECRET_KEY || '',
appSecretKey: process.env.APP_SECRET_KEY || '', appSecretKey: process.env.APP_SECRET_KEY || '',
serveWebAppSeparately, serveWebAppSeparately,
redisHost: process.env.REDIS_HOST || '127.0.0.1', redisHost: process.env.REDIS_HOST || '127.0.0.1',
@@ -70,8 +72,7 @@ const appConfig: AppConfig = {
redisUsername: process.env.REDIS_USERNAME, redisUsername: process.env.REDIS_USERNAME,
redisPassword: process.env.REDIS_PASSWORD, redisPassword: process.env.REDIS_PASSWORD,
redisTls: process.env.REDIS_TLS === 'true', redisTls: process.env.REDIS_TLS === 'true',
enableBullMQDashboard: enableBullMQDashboard: process.env.ENABLE_BULLMQ_DASHBOARD === 'true',
process.env.ENABLE_BULLMQ_DASHBOARD === 'true',
bullMQDashboardUsername: process.env.BULLMQ_DASHBOARD_USERNAME, bullMQDashboardUsername: process.env.BULLMQ_DASHBOARD_USERNAME,
bullMQDashboardPassword: process.env.BULLMQ_DASHBOARD_PASSWORD, bullMQDashboardPassword: process.env.BULLMQ_DASHBOARD_PASSWORD,
baseUrl, baseUrl,
@@ -84,4 +85,8 @@ if (!appConfig.encryptionKey) {
throw new Error('ENCRYPTION_KEY environment variable needs to be set!'); throw new Error('ENCRYPTION_KEY environment variable needs to be set!');
} }
if (!appConfig.webhookSecretKey) {
throw new Error('WEBHOOK_SECRET_KEY environment variable needs to be set!');
}
export default appConfig; export default appConfig;

47
packages/docs/pages/advanced/configuration.md
View File

@@ -11,28 +11,29 @@ The default values for some environment variables might be different in our deve
::: :::
:::danger :::danger
Please be careful with the `ENCRYPTION_KEY` environment variable. It is used to encrypt your credentials from third-party services. If you change it, you will not be able to access your connections and thus, your existing flows and connections will be useless. Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work.
::: :::
| Variable Name | Type | Default Value | Description | | Variable Name | Type | Default Value | Description |
| --------------------------- | ------- | ------------------ | ----------------------------------- | | --------------------------- | ------- | ------------------ | --------------------------------------------- |
| `HOST` | string | `localhost` | HTTP Host | | `HOST` | string | `localhost` | HTTP Host |
| `PROTOCOL` | string | `http` | HTTP Protocol | | `PROTOCOL` | string | `http` | HTTP Protocol |
| `PORT` | string | `3000` | HTTP Port | | `PORT` | string | `3000` | HTTP Port |
| `APP_ENV` | string | `production` | Automatisch Environment | | `APP_ENV` | string | `production` | Automatisch Environment |
| `POSTGRES_DATABASE` | string | `automatisch` | Database Name | | `POSTGRES_DATABASE` | string | `automatisch` | Database Name |
| `POSTGRES_PORT` | number | `5432` | Database Port | | `POSTGRES_PORT` | number | `5432` | Database Port |
| `POSTGRES_HOST` | string | `postgres` | Database Host | | `POSTGRES_HOST` | string | `postgres` | Database Host |
| `POSTGRES_USERNAME` | string | `automatisch_user` | Database User | | `POSTGRES_USERNAME` | string | `automatisch_user` | Database User |
| `POSTGRES_PASSWORD` | string | | Password of Database User | | `POSTGRES_PASSWORD` | string | | Password of Database User |
| `ENCRYPTION_KEY` | string | | Encryption Key to store credentials | | `ENCRYPTION_KEY` | string | | Encryption Key to store credentials |
| `APP_SECRET_KEY` | string | | Secret Key to authenticate the user | | `WEBHOOK_SECRET_KEY` | string | | Webhook Secret Key to verify webhook requests |
| `REDIS_HOST` | string | `redis` | Redis Host | | `APP_SECRET_KEY` | string | | Secret Key to authenticate the user |
| `REDIS_PORT` | number | `6379` | Redis Port | | `REDIS_HOST` | string | `redis` | Redis Host |
| `REDIS_USERNAME` | string | `` | Redis Username | | `REDIS_PORT` | number | `6379` | Redis Port |
| `REDIS_PASSWORD` | string | `` | Redis Password | | `REDIS_USERNAME` | string | `` | Redis Username |
| `REDIS_TLS` | boolean | `false` | Redis TLS | | `REDIS_PASSWORD` | string | `` | Redis Password |
| `TELEMETRY_ENABLED` | boolean | `true` | Enable/Disable Telemetry | | `REDIS_TLS` | boolean | `false` | Redis TLS |
| `ENABLE_BULLMQ_DASHBOARD` | boolean | `false` | Enable BullMQ Dashboard | | `TELEMETRY_ENABLED` | boolean | `true` | Enable/Disable Telemetry |
| `BULLMQ_DASHBOARD_USERNAME` | string | | Username to login BullMQ Dashboard | | `ENABLE_BULLMQ_DASHBOARD` | boolean | `false` | Enable BullMQ Dashboard |
| `BULLMQ_DASHBOARD_PASSWORD` | string | | Password to login BullMQ Dashboard | | `BULLMQ_DASHBOARD_USERNAME` | string | | Username to login BullMQ Dashboard |
| `BULLMQ_DASHBOARD_PASSWORD` | string | | Password to login BullMQ Dashboard |

2
packages/docs/pages/advanced/credentials.md
View File

@@ -5,5 +5,5 @@ We need to store your credentials in order to automatically communicate with thi
Automatisch uses AES specification to encrypt and decrypt your credentials of third-party services. The Advanced Encryption Standard (AES) is a U.S. Federal Information Processing Standard (FIPS). It was selected after a 5-year process where 15 competing designs were evaluated. AES is now used worldwide to protect sensitive information. Automatisch uses AES specification to encrypt and decrypt your credentials of third-party services. The Advanced Encryption Standard (AES) is a U.S. Federal Information Processing Standard (FIPS). It was selected after a 5-year process where 15 competing designs were evaluated. AES is now used worldwide to protect sensitive information.
:::danger :::danger
Please be careful with the `ENCRYPTION_KEY` environment variable. It is used to encrypt your credentials from third-party services. If you change it, you will not be able to access your connections and thus, your existing flows and connections will be useless. Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work.
::: :::

4
packages/docs/pages/guide/installation.md
View File

@@ -7,7 +7,7 @@ You can use `user@automatisch.io` email address and `sample` password to login t
::: :::
:::danger :::danger
Please be careful with the `ENCRYPTION_KEY` and `APP_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services. If you change them, you will not be able to access your connections and thus, your existing flows and connections will be useless. Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work.
::: :::
## Docker Compose ## Docker Compose
@@ -47,6 +47,7 @@ HOST=
PROTOCOL= PROTOCOL=
PORT= PORT=
ENCRYPTION_KEY= ENCRYPTION_KEY=
WEBHOOK_SECRET_KEY=
APP_SECRET_KEY= APP_SECRET_KEY=
POSTGRES_HOST= POSTGRES_HOST=
POSTGRES_PORT= POSTGRES_PORT=
@@ -78,6 +79,7 @@ HOST=
PROTOCOL= PROTOCOL=
PORT= PORT=
ENCRYPTION_KEY= ENCRYPTION_KEY=
WEBHOOK_SECRET_KEY=
APP_SECRET_KEY= APP_SECRET_KEY=
POSTGRES_HOST= POSTGRES_HOST=
POSTGRES_PORT= POSTGRES_PORT=