feat: Introduce webhook secret key to verify webhook requests
This commit is contained in:
Faruk AYDIN
@@ -23,6 +23,7 @@ services:
|
||||
- POSTGRES_USERNAME=automatisch_user
|
||||
- POSTGRES_PASSWORD=automatisch_password
|
||||
- ENCRYPTION_KEY
|
||||
- WEBHOOK_SECRET_KEY
|
||||
- APP_SECRET_KEY
|
||||
volumes:
|
||||
- automatisch_storage:/automatisch/storage
|
||||
@@ -41,6 +42,7 @@ services:
|
||||
- POSTGRES_USERNAME=automatisch_user
|
||||
- POSTGRES_PASSWORD=automatisch_password
|
||||
- ENCRYPTION_KEY
|
||||
- WEBHOOK_SECRET_KEY
|
||||
- APP_SECRET_KEY
|
||||
- WORKER=true
|
||||
volumes:
|
||||
|
||||
@@ -5,8 +5,10 @@ set -e
|
||||
if [ ! -f /automatisch/storage/.env ]; then
|
||||
>&2 echo "Saving environment variables"
|
||||
ENCRYPTION_KEY="${ENCRYPTION_KEY:-$(openssl rand -base64 36)}"
|
||||
WEBHOOK_SECRET_KEY="${WEBHOOK_SECRET_KEY:-$(openssl rand -base64 36)}"
|
||||
APP_SECRET_KEY="${APP_SECRET_KEY:-$(openssl rand -base64 36)}"
|
||||
echo "ENCRYPTION_KEY=$ENCRYPTION_KEY" >> /automatisch/storage/.env
|
||||
echo "WEBHOOK_SECRET_KEY=$WEBHOOK_SECRET_KEY" >> /automatisch/storage/.env
|
||||
echo "APP_SECRET_KEY=$APP_SECRET_KEY" >> /automatisch/storage/.env
|
||||
fi
|
||||
|
||||
|
||||
@@ -11,6 +11,7 @@ POSTGRES_USERNAME=automatish_development_user
|
||||
POSTGRES_PASSWORD=
|
||||
POSTGRES_ENABLE_SSL=false
|
||||
ENCRYPTION_KEY=sample-encryption-key
|
||||
WEBHOOK_SECRET_KEY=sample-webhook-key
|
||||
APP_SECRET_KEY=sample-app-secret-key
|
||||
REDIS_PORT=6379
|
||||
REDIS_HOST=127.0.0.1
|
||||
|
||||
@@ -11,7 +11,7 @@ const verifyWebhook = async ($: IGlobalVariable) => {
|
||||
|
||||
const verifySignature = function (receivedSignature: string, payload: string) {
|
||||
const hash = crypto
|
||||
.createHmac('sha256', appConfig.appSecretKey)
|
||||
.createHmac('sha256', appConfig.webhookSecretKey)
|
||||
.update(payload)
|
||||
.digest('base64');
|
||||
return receivedSignature === `sha256=${hash}`;
|
||||
|
||||
@@ -18,6 +18,7 @@ type AppConfig = {
|
||||
postgresEnableSsl: boolean;
|
||||
baseUrl: string;
|
||||
encryptionKey: string;
|
||||
webhookSecretKey: string;
|
||||
appSecretKey: string;
|
||||
serveWebAppSeparately: boolean;
|
||||
redisHost: string;
|
||||
@@ -63,6 +64,7 @@ const appConfig: AppConfig = {
|
||||
postgresPassword: process.env.POSTGRES_PASSWORD,
|
||||
postgresEnableSsl: process.env.POSTGRES_ENABLE_SSL === 'true',
|
||||
encryptionKey: process.env.ENCRYPTION_KEY || '',
|
||||
webhookSecretKey: process.env.WEBHOOK_SECRET_KEY || '',
|
||||
appSecretKey: process.env.APP_SECRET_KEY || '',
|
||||
serveWebAppSeparately,
|
||||
redisHost: process.env.REDIS_HOST || '127.0.0.1',
|
||||
@@ -70,8 +72,7 @@ const appConfig: AppConfig = {
|
||||
redisUsername: process.env.REDIS_USERNAME,
|
||||
redisPassword: process.env.REDIS_PASSWORD,
|
||||
redisTls: process.env.REDIS_TLS === 'true',
|
||||
enableBullMQDashboard:
|
||||
process.env.ENABLE_BULLMQ_DASHBOARD === 'true',
|
||||
enableBullMQDashboard: process.env.ENABLE_BULLMQ_DASHBOARD === 'true',
|
||||
bullMQDashboardUsername: process.env.BULLMQ_DASHBOARD_USERNAME,
|
||||
bullMQDashboardPassword: process.env.BULLMQ_DASHBOARD_PASSWORD,
|
||||
baseUrl,
|
||||
@@ -84,4 +85,8 @@ if (!appConfig.encryptionKey) {
|
||||
throw new Error('ENCRYPTION_KEY environment variable needs to be set!');
|
||||
}
|
||||
|
||||
if (!appConfig.webhookSecretKey) {
|
||||
throw new Error('WEBHOOK_SECRET_KEY environment variable needs to be set!');
|
||||
}
|
||||
|
||||
export default appConfig;
|
||||
|
||||
@@ -11,28 +11,29 @@ The default values for some environment variables might be different in our deve
|
||||
:::
|
||||
|
||||
:::danger
|
||||
Please be careful with the `ENCRYPTION_KEY` environment variable. It is used to encrypt your credentials from third-party services. If you change it, you will not be able to access your connections and thus, your existing flows and connections will be useless.
|
||||
Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work.
|
||||
:::
|
||||
|
||||
| Variable Name | Type | Default Value | Description |
|
||||
| --------------------------- | ------- | ------------------ | ----------------------------------- |
|
||||
| `HOST` | string | `localhost` | HTTP Host |
|
||||
| `PROTOCOL` | string | `http` | HTTP Protocol |
|
||||
| `PORT` | string | `3000` | HTTP Port |
|
||||
| `APP_ENV` | string | `production` | Automatisch Environment |
|
||||
| `POSTGRES_DATABASE` | string | `automatisch` | Database Name |
|
||||
| `POSTGRES_PORT` | number | `5432` | Database Port |
|
||||
| `POSTGRES_HOST` | string | `postgres` | Database Host |
|
||||
| `POSTGRES_USERNAME` | string | `automatisch_user` | Database User |
|
||||
| `POSTGRES_PASSWORD` | string | | Password of Database User |
|
||||
| `ENCRYPTION_KEY` | string | | Encryption Key to store credentials |
|
||||
| `APP_SECRET_KEY` | string | | Secret Key to authenticate the user |
|
||||
| `REDIS_HOST` | string | `redis` | Redis Host |
|
||||
| `REDIS_PORT` | number | `6379` | Redis Port |
|
||||
| `REDIS_USERNAME` | string | `` | Redis Username |
|
||||
| `REDIS_PASSWORD` | string | `` | Redis Password |
|
||||
| `REDIS_TLS` | boolean | `false` | Redis TLS |
|
||||
| `TELEMETRY_ENABLED` | boolean | `true` | Enable/Disable Telemetry |
|
||||
| `ENABLE_BULLMQ_DASHBOARD` | boolean | `false` | Enable BullMQ Dashboard |
|
||||
| `BULLMQ_DASHBOARD_USERNAME` | string | | Username to login BullMQ Dashboard |
|
||||
| `BULLMQ_DASHBOARD_PASSWORD` | string | | Password to login BullMQ Dashboard |
|
||||
| Variable Name | Type | Default Value | Description |
|
||||
| --------------------------- | ------- | ------------------ | --------------------------------------------- |
|
||||
| `HOST` | string | `localhost` | HTTP Host |
|
||||
| `PROTOCOL` | string | `http` | HTTP Protocol |
|
||||
| `PORT` | string | `3000` | HTTP Port |
|
||||
| `APP_ENV` | string | `production` | Automatisch Environment |
|
||||
| `POSTGRES_DATABASE` | string | `automatisch` | Database Name |
|
||||
| `POSTGRES_PORT` | number | `5432` | Database Port |
|
||||
| `POSTGRES_HOST` | string | `postgres` | Database Host |
|
||||
| `POSTGRES_USERNAME` | string | `automatisch_user` | Database User |
|
||||
| `POSTGRES_PASSWORD` | string | | Password of Database User |
|
||||
| `ENCRYPTION_KEY` | string | | Encryption Key to store credentials |
|
||||
| `WEBHOOK_SECRET_KEY` | string | | Webhook Secret Key to verify webhook requests |
|
||||
| `APP_SECRET_KEY` | string | | Secret Key to authenticate the user |
|
||||
| `REDIS_HOST` | string | `redis` | Redis Host |
|
||||
| `REDIS_PORT` | number | `6379` | Redis Port |
|
||||
| `REDIS_USERNAME` | string | `` | Redis Username |
|
||||
| `REDIS_PASSWORD` | string | `` | Redis Password |
|
||||
| `REDIS_TLS` | boolean | `false` | Redis TLS |
|
||||
| `TELEMETRY_ENABLED` | boolean | `true` | Enable/Disable Telemetry |
|
||||
| `ENABLE_BULLMQ_DASHBOARD` | boolean | `false` | Enable BullMQ Dashboard |
|
||||
| `BULLMQ_DASHBOARD_USERNAME` | string | | Username to login BullMQ Dashboard |
|
||||
| `BULLMQ_DASHBOARD_PASSWORD` | string | | Password to login BullMQ Dashboard |
|
||||
|
||||
@@ -5,5 +5,5 @@ We need to store your credentials in order to automatically communicate with thi
|
||||
Automatisch uses AES specification to encrypt and decrypt your credentials of third-party services. The Advanced Encryption Standard (AES) is a U.S. Federal Information Processing Standard (FIPS). It was selected after a 5-year process where 15 competing designs were evaluated. AES is now used worldwide to protect sensitive information.
|
||||
|
||||
:::danger
|
||||
Please be careful with the `ENCRYPTION_KEY` environment variable. It is used to encrypt your credentials from third-party services. If you change it, you will not be able to access your connections and thus, your existing flows and connections will be useless.
|
||||
Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work.
|
||||
:::
|
||||
|
||||
@@ -7,7 +7,7 @@ You can use `user@automatisch.io` email address and `sample` password to login t
|
||||
:::
|
||||
|
||||
:::danger
|
||||
Please be careful with the `ENCRYPTION_KEY` and `APP_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services. If you change them, you will not be able to access your connections and thus, your existing flows and connections will be useless.
|
||||
Please be careful with the `ENCRYPTION_KEY` and `WEBHOOK_SECRET_KEY` environment variables. They are used to encrypt your credentials from third-party services and verify webhook requests. If you change them, your existing connections and flows will not continue to work.
|
||||
:::
|
||||
|
||||
## Docker Compose
|
||||
@@ -47,6 +47,7 @@ HOST=
|
||||
PROTOCOL=
|
||||
PORT=
|
||||
ENCRYPTION_KEY=
|
||||
WEBHOOK_SECRET_KEY=
|
||||
APP_SECRET_KEY=
|
||||
POSTGRES_HOST=
|
||||
POSTGRES_PORT=
|
||||
@@ -78,6 +79,7 @@ HOST=
|
||||
PROTOCOL=
|
||||
PORT=
|
||||
ENCRYPTION_KEY=
|
||||
WEBHOOK_SECRET_KEY=
|
||||
APP_SECRET_KEY=
|
||||
POSTGRES_HOST=
|
||||
POSTGRES_PORT=
|
||||
|
||||
Reference in New Issue
Block a user