Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add info for webhook signature validation #3054

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: add info for webhook signature validation #3054

wants to merge 1 commit into from

Conversation

brad-dow
Copy link
Contributor

Adding content for optional but recommended webhook signature validation

Fixes #3022

@brad-dow
docs: add info for webhook signature validation
52c98f9 
Adding content for optional but recommended webhook signature validation
@github-actions github-actions bot added the pkg: documentation Changes in the documentation package. label Oct 30, 2024
@netlify Netlify
Copy link

netlify bot commented Oct 30, 2024
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec ready!

Name Link
🔨 Latest commit 52c98f9
🔍 Latest deploy log https://app.netlify.com/sites/brilliant-pasca-3e80ec/deploys/67229722ce853500084d8d68
😎 Deploy Preview https://deploy-preview-3054--brilliant-pasca-3e80ec.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

mkurapov
mkurapov reviewed Nov 6, 2024
View reviewed changes
packages/documentation/src/content/docs/integration/requirements/webhook-events.mdx

### Compare the signatures

Finally, compare the signature in the header to the expected signature you generated. For security, use a constant-time comparison function to prevent timing attacks. Also, check the timestamp to ensure that it is within the allowed TTL (configured in the `ADMIN_API_SIGNATURE_TTL_SECONDS` environment variable) to ensure freshness.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Finally, compare the signature in the header to the expected signature you generated. For security, use a constant-time comparison function to prevent timing attacks. Also, check the timestamp to ensure that it is within the allowed TTL (configured in the `ADMIN_API_SIGNATURE_TTL_SECONDS` environment variable) to ensure freshness.
Finally, compare the signature in the header to the expected signature you generated. For security, use a constant-time comparison function to prevent timing attacks.

Does not apply to webhooks for now

packages/documentation/src/content/docs/integration/requirements/webhook-events.mdx

To protect your endpoint from unauthorized or spoofed requests, Rafiki supports an optional, but highly recommended, webhook signature verification process. By enabling signature verification, you can ensure that webhook requests are genuinely from Rafiki.

Each webhook request includes a `Rafiki-Signature` header with a timestamp and signature digest. If you instance is configured with a `SIGNATURE_SECRET` environment variable, you can verify the authenticity of each webhook request using the steps below.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version is set using SIGNATURE_VERSION

packages/documentation/src/content/docs/integration/requirements/webhook-events.mdx
Comment on lines +185 to +196
```
// Really cool code example in some commonly used language (JavaScript, Python?)

// Extract timestamp and signatures from header

// Prepare the signed payload string

// Generate the expected signature

// Compare the signatures and check the timestamp

```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
```
// Really cool code example in some commonly used language (JavaScript, Python?)
// Extract timestamp and signatures from header
// Prepare the signed payload string
// Generate the expected signature
// Compare the signatures and check the timestamp
```
```js
function verifyWebhookSignature(request: Request): boolean {
const signatureParts = request.headers['Rafiki-Signature'].split(', ')
const timestamp = signatureParts[0].split('=')[1]
const signatureVersionAndDigest = signatureParts[1].split('=')
const signatureVersion = signatureVersionAndDigest[0].replace('v', '')
const signatureDigest = signatureVersionAndDigest[1]
if (signatureVersion !== config['SIGNATURE_VERSION']) {
return false
}
const payload = `${timestamp}.${canonicalize(request.body)}`
const hmac = createHmac('sha256', config['SIGNATURE_SECRET'])
hmac.update(payload)
const digest = hmac.digest('hex')
return digest === signatureDigest
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkurapov mkurapov mkurapov left review comments

@melissahenderson melissahenderson Awaiting requested review from melissahenderson

@raducristianpopa raducristianpopa Awaiting requested review from raducristianpopa

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
pkg: documentation Changes in the documentation package.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

docs: add info for webhook signature validation
2 participants
@brad-dow @mkurapov