Add auth field #26
Add auth field #26
Conversation
|
What level of security are you looking for here? So that the receiver can verify the authenticity of the webhooks? |
|
@bryanhelmig yes, so the receiver can say "when you talk to me, use this auth token so I can trust you". The flip side to increasing trust requirements is being able to easily discard anything that doesn't auth, reducing processing. |
|
Pretty interesting. I'm not sure I'd advocate adding a column for that though. Consider an alternative - a shared secret combined with hmac hashing could accomplish the same thing without needing to store extra state per subscription. The secret could be your API key or even a static value you share with trusted partners. Not sure your requirements. Take a look at Mailgun - they do something like this. |
|
Thanks for the counter suggestion, it's an interesting one. I'll have a look at the implementation and document and share the setup if it works for us. |
|
Awesome! I'd be down to see some utilities added here or at least documentation if you get something working. |
|
@imsickofmaps did you get anything working for authentication? please let us know. Thanks in advance |
|
@pk026 we used a solution like this in the end which re-used the auth token: https://gist.github.com/imsickofmaps/09dcb8c4aa37ed5057ce6c190d19b0ae I recommend signing though as a better, more scaleable, solution. Check https://documentation.mailgun.com/user_manual.html?highlight=hmac#webhooks for ideas. |
This is a proposal to add an optional Authorization header to the webhook. Doing so would allow a higher level of security to the outbound payload. Thoughts?