forked from vikunja/vikunja
Pass HMAC in header for integrity
This commit is contained in:
parent
c9e67570ea
commit
1745dbb85d
|
@ -160,8 +160,9 @@ const (
|
|||
MetricsUsername Key = `metrics.username`
|
||||
MetricsPassword Key = `metrics.password`
|
||||
|
||||
WebhookEnabled Key = "webhook.enabled"
|
||||
WebhookEndpointURL Key = "webhook.endpointurl"
|
||||
WebhookNotificationsEnabled Key = "notifications.webhook.enabled"
|
||||
WebhookNotificationEndpointURL Key = "notifications.webhook.endpointurl"
|
||||
WebhookNotificationSignatureSecret Key = "notifications.webhook.signaturesecret"
|
||||
)
|
||||
|
||||
// GetString returns a string config value
|
||||
|
@ -370,8 +371,9 @@ func InitDefaultConfig() {
|
|||
KeyvalueType.setDefault("memory")
|
||||
// Metrics
|
||||
MetricsEnabled.setDefault(false)
|
||||
// Webhook Notifications
|
||||
WebhookEnabled.setDefault(false)
|
||||
// Webhook Notification
|
||||
WebhookNotificationsEnabled.setDefault(false)
|
||||
WebhookNotificationSignatureSecret.setDefault("")
|
||||
}
|
||||
|
||||
// InitConfig initializes the config, sets defaults etc.
|
||||
|
|
|
@ -16,7 +16,6 @@ func DoPost(url string, body string, headers map[string]string) (resp *http.Resp
|
|||
for k, v := range headers {
|
||||
req.Header.Add(k, v)
|
||||
}
|
||||
req.Header.Add("Content-Type", "application/json")
|
||||
hc := http.Client{}
|
||||
return hc.Do(req)
|
||||
}
|
||||
|
|
|
@ -59,7 +59,7 @@ func Notify(notifiable Notifiable, notification Notification) (err error) {
|
|||
return
|
||||
}
|
||||
|
||||
if config.WebhookEnabled.GetBool() {
|
||||
if config.WebhookNotificationsEnabled.GetBool() {
|
||||
err = notifyWebhook(notifiable, notification)
|
||||
if err != nil {
|
||||
return
|
||||
|
@ -90,10 +90,14 @@ func notifyWebhook(notifiable Notifiable, notification Notification) error {
|
|||
return err
|
||||
}
|
||||
|
||||
signature := GenerateHMAC(string(content))
|
||||
webhookNotification := &WebhookNotification{
|
||||
endpointURL: config.DatabasePassword.GetString(),
|
||||
headers: map[string]string{}, // TODO: allow passing user-configurable headers
|
||||
body: string(content),
|
||||
endpointURL: config.WebhookNotificationEndpointURL.GetString(),
|
||||
headers: map[string]string{
|
||||
webhookNotificationSignatureHeader: signature,
|
||||
webhookNotificationContentTypeHeader: "application/json",
|
||||
},
|
||||
body: string(content),
|
||||
}
|
||||
|
||||
return SendWebhook(webhookNotification)
|
||||
|
|
|
@ -16,6 +16,19 @@
|
|||
|
||||
package notifications
|
||||
|
||||
import (
|
||||
"crypto/hmac"
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
|
||||
"code.vikunja.io/api/pkg/config"
|
||||
)
|
||||
|
||||
const (
|
||||
webhookNotificationSignatureHeader = "x-vikunja-signature"
|
||||
webhookNotificationContentTypeHeader = "Content-Type"
|
||||
)
|
||||
|
||||
// WebhookNotification represents a notification that published to a http endpoint
|
||||
type WebhookNotification struct {
|
||||
endpointURL string
|
||||
|
@ -23,6 +36,13 @@ type WebhookNotification struct {
|
|||
body string
|
||||
}
|
||||
|
||||
// GenerateHMAC generates a HMAC code for the webhook body signed with the configured secret
|
||||
func GenerateHMAC(requestBody string) string {
|
||||
h := hmac.New(sha256.New, []byte(config.WebhookNotificationSignatureSecret.GetString()))
|
||||
h.Write([]byte(requestBody))
|
||||
return hex.EncodeToString(h.Sum(nil))
|
||||
}
|
||||
|
||||
// SendWebhook sends the notification to the configured endpoint
|
||||
func SendWebhook(w *WebhookNotification) error {
|
||||
resp, err := DoPost(w.endpointURL, w.body, w.headers)
|
||||
|
|
Loading…
Reference in New Issue