mirror of
https://github.com/chatwoot/chatwoot.git
synced 2026-07-10 21:17:01 +08:00
Account webhooks sign outgoing payloads with HMAC-SHA256, but agent bot and API inbox webhooks were delivered unsigned. This PR adds the same signing to both. Each model gets a dedicated `secret` column rather than reusing the agent bot's `access_token` (for API auth back into Chatwoot) or the API inbox's `hmac_token` (for inbound contact identity verification). These serve different trust boundaries and shouldn't be coupled — rotating a signing secret shouldn't invalidate API access or contact verification. The existing `Webhooks::Trigger` already signs when a secret is present, so the backend change is just passing `secret:` through to the jobs. Shared token logic is extracted into a `WebhookSecretable` concern included by `Webhook`, `AgentBot`, and `Channel::Api`. The frontend reuses the existing `AccessToken` component for secret display. Secrets are admin-only and excluded from enterprise audit logs. ### How to test Point an agent bot or API inbox webhook URL at a request inspector. Send a message and verify `X-Chatwoot-Signature` and `X-Chatwoot-Timestamp` headers are present. Reset the secret from settings and confirm subsequent deliveries use the new value. --------- Co-authored-by: Sojan Jose <sojan@pepalo.com> |
||
|---|---|---|
| .. | ||
| api | ||
| concerns | ||
| devise_overrides | ||
| installation | ||
| linear | ||
| microsoft | ||
| notion | ||
| platform/api/v1 | ||
| public/api/v1 | ||
| shopify | ||
| super_admin | ||
| survey | ||
| tiktok | ||
| twilio | ||
| webhooks | ||
| android_app_controller.rb | ||
| api_controller.rb | ||
| apple_app_controller.rb | ||
| application_controller.rb | ||
| dashboard_controller.rb | ||
| health_controller.rb | ||
| microsoft_controller.rb | ||
| oauth_callback_controller.rb | ||
| platform_controller.rb | ||
| public_controller.rb | ||
| slack_uploads_controller.rb | ||
| swagger_controller.rb | ||
| widget_tests_controller.rb | ||
| widgets_controller.rb | ||