CodeCow/chatwoot
1
0
Fork 0
mirror of https://github.com/chatwoot/chatwoot.git synced 2026-06-04 21:02:35 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
debug/wider-generation
chatwoot/app/controllers/concerns
History
Sony Mathew a9ac1c633d
fix: added HMAC validation for Whatsapp and Instagram webhooks (#14280) 
## Description
* Added Meta webhook HMAC validation in meta_token_verify_concern.rb.
* Wired it into instagram_controller.rb and whatsapp_controller.rb.
* WhatsApp now verifies X-Hub-Signature-256 with WHATSAPP_APP_SECRET.
* Instagram now verifies with either FB_APP_SECRET or
INSTAGRAM_APP_SECRET.
* Updated request specs so missing/invalid signatures return 401 and
valid signatures still enqueue jobs.


Fixes # (issue):
[CW-6786](https://linear.app/chatwoot/issue/CW-6786/ghsa-7rw7-pc8v-mrr3-unauthenticated-message-injection-via-missing)

## Type of change

Please delete options that are not relevant.

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality not to work as expected)
- [ ] This change requires a documentation update

## How Has This Been Tested?

* Updated the controller specs and ran them successfully.
* The original issue is no longer reproducible.


## Checklist:

- [x] My code follows the style guidelines of this project
- [x] I have performed a self-review of my code
- [ ] I have commented on my code, particularly in hard-to-understand
areas
- [ ] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] I have added tests that prove my fix is effective or that my
feature works
- [x] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published in downstream
modules

---------

Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2026-05-05 15:01:11 +05:30
..
.keep Initial Commit 2019-08-14 15:18:44 +05:30
access_token_auth_helper.rb feat: allow agent bots to toggle typing status (#13705) 2026-03-05 08:13:52 -08:00
attachment_concern.rb fix: Validate blob before attaching it to a record (#13115) 2025-12-19 19:02:21 -08:00
auth_helper.rb chore: Upgrade rails and ruby versions (#2400) 2021-08-03 20:11:52 +05:30
domain_helper.rb fix: Locale not correct in root url when accessing help center with custom domain (#9110) 2024-03-19 18:48:59 +05:30
ensure_current_account_helper.rb feat: APIs to assign agents_bots as assignee in conversations (#12836) 2025-11-18 18:20:58 -08:00
google_concern.rb refactor: use state-based authentication (#11690) 2025-06-18 17:39:06 +05:30
hmac_concern.rb feat: API to create HMAC verified conversations (#7209) 2023-05-29 21:57:24 +05:30
instagram_concern.rb feat: Instagram Inbox using Instagram Business Login (#11054) 2025-04-08 10:47:41 +05:30
label_concern.rb feat: API to add label to contacts (#1563) 2021-01-03 20:07:57 +05:30
meta_token_verify_concern.rb fix: added HMAC validation for Whatsapp and Instagram webhooks (#14280) 2026-05-05 15:01:11 +05:30
microsoft_concern.rb refactor: use state-based authentication (#11690) 2025-06-18 17:39:06 +05:30
notion_concern.rb feat: notion OAuth setup (#11765) 2025-06-26 19:16:06 +05:30
request_exception_handler.rb chore: Log errors handled by RequestExceptionHandler (#8013) 2023-09-30 19:46:58 -07:00
switch_locale.rb feat: Agent language settings (#11222) 2025-09-09 14:27:36 +05:30
twitter_concern.rb fix: Twitter inbox creation error (#1783) 2021-02-16 19:35:10 +05:30
website_token_helper.rb chore: Allow super admin to suspend an account (#5174) 2022-08-03 11:40:03 +05:30