feat(gatehub): validate webhook signature (#1702)

dragosp1011 · web-flow · commit ca1940097ec8 · 2024-10-08T23:50:59.000+03:00
* feat(gatehub): validate webhook signature

* fix: return 200 on initial request
diff --git a/docker/dev/.env.example b/docker/dev/.env.example
@@ -8,6 +8,7 @@ RATE_API_KEY=
 
 GATEHUB_ACCESS_KEY=
 GATEHUB_SECRET_KEY=
+GATEHUB_WEBHOOK_SECRET=
 GATEHUB_GATEWAY_UUID=
 GATEHUB_VAULT_UUID_EUR=
 GATEHUB_VAULT_UUID_USD=
diff --git a/docker/dev/docker-compose.yml b/docker/dev/docker-compose.yml
@@ -52,6 +52,7 @@ services:
       KRATOS_ADMIN_URL: 'http://kratos:4434/admin'
       GATEHUB_ACCESS_KEY: ${GATEHUB_ACCESS_KEY}
       GATEHUB_SECRET_KEY: ${GATEHUB_SECRET_KEY}
+      GATEHUB_WEBHOOK_SECRET: ${GATEHUB_WEBHOOK_SECRET}
       GATEHUB_GATEWAY_UUID: ${GATEHUB_GATEWAY_UUID}
       GATEHUB_VAULT_UUID_EUR: ${GATEHUB_VAULT_UUID_EUR}
       GATEHUB_VAULT_UUID_USD: ${GATEHUB_VAULT_UUID_USD}
diff --git a/docker/prod/.env.example b/docker/prod/.env.example
@@ -29,6 +29,7 @@ WALLET_BACKEND_AUTH_DOMAIN=
 WALLET_BACKEND_GATEHUB_ENV=
 WALLET_BACKEND_GATEHUB_ACCESS_KEY=
 WALLET_BACKEND_GATEHUB_SECRET_KEY=
+WALLET_BACKEND_GATEHUB_WEBHOOK_SECRET=
 WALLET_BACKEND_GATEHUB_GATEWAY_UUID=
 WALLET_BACKEND_GATEHUB_VAULT_UUID_EUR=
 WALLET_BACKEND_GATEHUB_VAULT_UUID_USD=
diff --git a/docker/prod/docker-compose.yml b/docker/prod/docker-compose.yml
@@ -64,6 +64,7 @@ services:
       GATEHUB_ENV: ${WALLET_BACKEND_GATEHUB_ENV}
       GATEHUB_ACCESS_KEY: ${WALLET_BACKEND_GATEHUB_ACCESS_KEY}
       GATEHUB_SECRET_KEY: ${WALLET_BACKEND_GATEHUB_SECRET_KEY}
+      GATEHUB_WEBHOOK_SECRET: ${WALLET_BACKEND_GATEHUB_WEBHOOK_SECRET}
       GATEHUB_GATEWAY_UUID: ${WALLET_BACKEND_GATEHUB_GATEWAY_UUID}
       GATEHUB_VAULT_UUID_EUR: ${WALLET_BACKEND_GATEHUB_VAULT_UUID_EUR}
       GATEHUB_VAULT_UUID_USD: ${WALLET_BACKEND_GATEHUB_VAULT_UUID_USD}
diff --git a/packages/wallet/backend/src/app.ts b/packages/wallet/backend/src/app.ts
@@ -44,6 +44,7 @@ import { GateHubService } from '@/gatehub/service'
 import { CardController } from './card/controller'
 import { CardService } from './card/service'
 import { isRafikiSignedWebhook } from '@/middleware/isRafikiSignedWebhook'
+import { isGateHubSignedWebhook } from '@/middleware/isGateHubSignedWebhook'
 
 export interface Bindings {
   env: Env
@@ -309,7 +310,11 @@ export class App {
 
     // GateHub
     router.get('/iframe-urls/:type', isAuth, gateHubController.getIframeUrl)
-    router.post('/gatehub-webhooks', gateHubController.webhook)
+    router.post(
+      '/gatehub-webhooks',
+      isGateHubSignedWebhook,
+      gateHubController.webhook
+    )
     router.post(
       '/gatehub/add-user-to-gateway',
       isAuth,
diff --git a/packages/wallet/backend/src/config/env.ts b/packages/wallet/backend/src/config/env.ts
@@ -15,6 +15,7 @@ const envSchema = z.object({
   GATEHUB_ENV: z.enum(['production', 'sandbox']).default('sandbox'),
   GATEHUB_ACCESS_KEY: z.string().default('GATEHUB_ACCESS_KEY'),
   GATEHUB_SECRET_KEY: z.string().default('GATEHUB_SECRET_KEY'),
+  GATEHUB_WEBHOOK_SECRET: z.string().default('GATEHUB_WEBHOOK_SECRET'),
   GATEHUB_GATEWAY_UUID: z.string().default('GATEHUB_GATEWAY_UUID'),
   GATEHUB_VAULT_UUID_EUR: z.string().default('GATEHUB_VAULT_UUID_EUR'),
   GATEHUB_VAULT_UUID_USD: z.string().default('GATEHUB_VAULT_UUID_USD'),
diff --git a/packages/wallet/backend/src/gatehub/controller.ts b/packages/wallet/backend/src/gatehub/controller.ts
@@ -52,8 +52,8 @@ export class GateHubController implements IGateHubController {
     next: NextFunction
   ) => {
     try {
-      // TODO: implement signature check
       if (!req.body.uuid) {
+        res.status(200).json()
         return
       }
 
diff --git a/packages/wallet/backend/src/middleware/isGateHubSignedWebhook.ts b/packages/wallet/backend/src/middleware/isGateHubSignedWebhook.ts
@@ -0,0 +1,45 @@
+import type { NextFunction, Request, Response } from 'express'
+import { Unauthorized } from '@shared/backend'
+import { env } from '@/config/env'
+import { createHmac } from 'crypto'
+
+const TOLERANCE_MILLISECONDS = 5000
+export const isGateHubSignedWebhook = async (
+  req: Request,
+  res: Response,
+  next: NextFunction
+): Promise<void> => {
+  try {
+    if (!req.body.timestamp) {
+      // Respond with 200 on initial setup call
+      res.status(200).json()
+      return
+    }
+
+    const body = JSON.stringify(req.body)
+    const key = Buffer.from(env.GATEHUB_WEBHOOK_SECRET, 'hex')
+    const messageBuffer = Buffer.from(body, 'utf-8')
+
+    const requestSignature = createHmac('sha256', key)
+      .update(messageBuffer)
+      .digest('hex')
+
+    const timeDiffMilliseconds =
+      new Date().getTime() - parseFloat(req.body.timestamp)
+
+    // Check the difference of the received and current timestamp based on your tolerance
+    const timestampIsValid = timeDiffMilliseconds < TOLERANCE_MILLISECONDS
+    const signatureIsValid =
+      requestSignature === req.headers['x-gh-webhook-signature']
+
+    const isSignatureValid = timestampIsValid && signatureIsValid
+
+    if (!isSignatureValid) {
+      throw new Unauthorized('Invalid signature header')
+    }
+  } catch (e) {
+    next(e)
+  }
+
+  next()
+}

Original file line number	Diff line number	Diff line change
`@@ -52,8 +52,8 @@ export class GateHubController implements IGateHubController {`
`52`	`52`	`next: NextFunction`
`53`	`53`	`) => {`
`54`	`54`	`try {`
`55`		`- // TODO: implement signature check`
`56`	`55`	`if (!req.body.uuid) {`
	`56`	`+ res.status(200).json()`
`57`	`57`	`return`
`58`	`58`	`}`
`59`	`59`