Webhook Authenticator (#233)

Author: rmcdaniel

src/Auth/NullAuthenticator.php

@@ -8,8 +8,8 @@
 
 class NullAuthenticator implements WebhookAuthenticator
 {
-    public function validate(Request $request): bool
+    public function validate(Request $request): Request
     {
-        return true;
+        return $request;
     }
 }

src/Auth/SignatureAuthenticator.php

@@ -8,11 +8,14 @@
 
 class SignatureAuthenticator implements WebhookAuthenticator
 {
-    public function validate(Request $request): bool
+    public function validate(Request $request): Request
     {
-        return hash_equals(
+        if (! hash_equals(
             $request->header(config('workflows.webhook_auth.signature.header')) ?? '',
             hash_hmac('sha256', $request->getContent(), config('workflows.webhook_auth.signature.secret'))
-        );
+        )) {
+            abort(401, 'Unauthorized');
+        }
+        return $request;
     }
 }

src/Auth/TokenAuthenticator.php

@@ -8,10 +8,13 @@
 
 class TokenAuthenticator implements WebhookAuthenticator
 {
-    public function validate(Request $request): bool
+    public function validate(Request $request): Request
     {
-        return $request->header(config('workflows.webhook_auth.token.header')) === config(
+        if ($request->header(config('workflows.webhook_auth.token.header')) !== config(
             'workflows.webhook_auth.token.token'
-        );
+        )) {
+            abort(401, 'Unauthorized');
+        }
+        return $request;
     }
 }

src/Auth/WebhookAuthenticator.php

@@ -8,5 +8,5 @@
 
 interface WebhookAuthenticator
 {
-    public function validate(Request $request): bool;
+    public function validate(Request $request): Request;
 }

src/Webhooks.php

@@ -79,12 +79,7 @@ private static function registerWorkflowWebhooks($workflow, $basePath)
             if ($method->getName() === 'execute') {
                 $slug = Str::kebab(class_basename($workflow));
                 Route::post("{$basePath}/start/{$slug}", static function (Request $request) use ($workflow) {
-                    if (! self::validateAuth($request)) {
-                        return response()->json([
-                            'error' => 'Unauthorized',
-                        ], 401);
-                    }
-
+                    $request = self::validateAuth($request);
                     $params = self::resolveNamedParameters($workflow, 'execute', $request->all());
                     WorkflowStub::make($workflow)->start(...$params);
                     return response()->json([
@@ -101,24 +96,17 @@ private static function registerSignalWebhooks($workflow, $basePath)
             if (self::hasWebhookAttributeOnMethod($method)) {
                 $slug = Str::kebab(class_basename($workflow));
                 $signal = Str::kebab($method->getName());
-
                 Route::post(
                     "{$basePath}/signal/{$slug}/{workflowId}/{$signal}",
                     static function (Request $request, $workflowId) use ($workflow, $method) {
-                        if (! self::validateAuth($request)) {
-                            return response()->json([
-                                'error' => 'Unauthorized',
-                            ], 401);
-                        }
-
+                        $request = self::validateAuth($request);
                         $workflowInstance = WorkflowStub::load($workflowId);
                         $params = self::resolveNamedParameters(
                             $workflow,
                             $method->getName(),
                             $request->except('workflow_id')
                         );
                         $workflowInstance->{$method->getName()}(...$params);
-
                         return response()->json([
                             'message' => 'Signal sent',
                         ]);
@@ -164,7 +152,7 @@ private static function resolveNamedParameters($class, $method, $payload)
         return $params;
     }
 
-    private static function validateAuth(Request $request): bool
+    private static function validateAuth(Request $request): Request
     {
         $authenticatorClass = match (config('workflows.webhook_auth.method', 'none')) {
             'none' => NullAuthenticator::class,
@@ -174,10 +162,10 @@ private static function validateAuth(Request $request): bool
             default => null,
         };
 
-        if (is_subclass_of($authenticatorClass, WebhookAuthenticator::class)) {
-            return (new $authenticatorClass())->validate($request);
+        if (! is_subclass_of($authenticatorClass, WebhookAuthenticator::class)) {
+            abort(401, 'Unauthorized');
         }
 
-        return false;
+        return (new $authenticatorClass())->validate($request);
     }
 }

tests/Feature/ExceptionWorkflowTest.php

@@ -4,8 +4,8 @@
 
 namespace Tests\Feature;
 
-use Tests\Fixtures\NonRetryableTestExceptionWorkflow;
 use Tests\Fixtures\TestExceptionWorkflow;
+use Tests\Fixtures\TestNonRetryableExceptionWorkflow;
 use Tests\TestCase;
 use Workflow\Serializers\Serializer;
 use Workflow\States\WorkflowCompletedStatus;
@@ -34,7 +34,7 @@ public function testRetry(): void
 
     public function testNonRetryableException(): void
     {
-        $workflow = WorkflowStub::make(NonRetryableTestExceptionWorkflow::class);
+        $workflow = WorkflowStub::make(TestNonRetryableExceptionWorkflow::class);
 
         $workflow->start();
 

tests/Feature/WebhookWorkflowTest.php

@@ -111,7 +111,7 @@ public function testSignatureAuth()
 
         $response->assertStatus(401);
         $response->assertJson([
-            'error' => 'Unauthorized',
+            'message' => 'Unauthorized',
         ]);
 
         $response = $this->postJson('/webhooks/start/test-webhook-workflow', [], [
@@ -120,7 +120,7 @@ public function testSignatureAuth()
 
         $response->assertStatus(401);
         $response->assertJson([
-            'error' => 'Unauthorized',
+            'message' => 'Unauthorized',
         ]);
 
         $response = $this->postJson('/webhooks/start/test-webhook-workflow', [], [
@@ -166,7 +166,7 @@ public function testTokenAuth()
 
         $response->assertStatus(401);
         $response->assertJson([
-            'error' => 'Unauthorized',
+            'message' => 'Unauthorized',
         ]);
 
         $response = $this->postJson('/webhooks/start/test-webhook-workflow', [], [
@@ -175,7 +175,7 @@ public function testTokenAuth()
 
         $response->assertStatus(401);
         $response->assertJson([
-            'error' => 'Unauthorized',
+            'message' => 'Unauthorized',
         ]);
 
         $response = $this->postJson('/webhooks/start/test-webhook-workflow', [], [

tests/Fixtures/TestAuthenticator.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Fixtures;
+
+use Illuminate\Http\Request;
+use Workflow\Auth\WebhookAuthenticator;
+
+class TestAuthenticator implements WebhookAuthenticator
+{
+    public function validate(Request $request): Request
+    {
+        if ($request->header('Authorization')) {
+            return $request;
+        }
+        abort(401, 'Unauthorized');
+    }
+}

…es/NonRetryableTestExceptionActivity.php …es/TestNonRetryableExceptionActivity.phptests/Fixtures/NonRetryableTestExceptionActivity.php renamed to tests/Fixtures/TestNonRetryableExceptionActivity.php tests/Fixtures/NonRetryableTestExceptionActivity.php renamed to tests/Fixtures/TestNonRetryableExceptionActivity.php

@@ -7,7 +7,7 @@
 use Workflow\Activity;
 use Workflow\Exceptions\NonRetryableException;
 
-final class NonRetryableTestExceptionActivity extends Activity
+final class TestNonRetryableExceptionActivity extends Activity
 {
     public function execute()
     {

…es/NonRetryableTestExceptionWorkflow.php …es/TestNonRetryableExceptionWorkflow.phptests/Fixtures/NonRetryableTestExceptionWorkflow.php renamed to tests/Fixtures/TestNonRetryableExceptionWorkflow.php tests/Fixtures/NonRetryableTestExceptionWorkflow.php renamed to tests/Fixtures/TestNonRetryableExceptionWorkflow.php

@@ -7,11 +7,11 @@
 use Workflow\ActivityStub;
 use Workflow\Workflow;
 
-final class NonRetryableTestExceptionWorkflow extends Workflow
+final class TestNonRetryableExceptionWorkflow extends Workflow
 {
     public function execute()
     {
-        yield ActivityStub::make(NonRetryableTestExceptionActivity::class);
+        yield ActivityStub::make(TestNonRetryableExceptionActivity::class);
         yield ActivityStub::make(TestActivity::class);
 
         return 'Workflow completes';