Hi. I was going post this in feature suggestions but noticed that thread is locked. I'm curious if anyone is using actions to trigger a webhook pointed to an endpoint they control? The reason I ask is it looked like the way it works is Adafruit IO will post the webhook you set up with the data you want but you cannot actually verify the payload (HMAC?), authenticate, etc. A "webhook listener" server left open with no ability to verify an incoming POST is obviously not a great option.
I was thinking of a few ways to approach this:
1. Allow adding custom headers to be added to the POST of the webhook. You could put in a token header that on your server you can extract and verify and block all other calls.
2. Add the ability to add basic auth credentials on the Adafruit IO side to pass to your server (basically back to the headers idea in #1).
3. Nice to have - Utilize something like HMAC to verify the payload
I did see that Adafruit IO will POST to your HTTPS endpoint. However, locking down my server a little more so I can ignore all other traffic (fail2ban offenders) and verify the payload would be perfect. I could just allow Adafruit IO to talk to my endpoint but that stops my other traffic coming in with auth tokens from various endpoints.
Is anyone else dealing with this, and if so how are you handling this sort of thing? I'm new to Adafruit IO so maybe I missed something or maybe you can lock down things more on the plus plan but I didn't see that documented anywhere.
Webhook custom header(s) - a little more security
Moderators: adafruit_support_bill, adafruit
Forum rules
If you're posting code, please make sure your code does not include your Adafruit IO Active Key or WiFi network credentials.
If you're posting code, please make sure your code does not include your Adafruit IO Active Key or WiFi network credentials.
-
chadlung
- Posts: 13
- Joined: Tue Oct 04, 2022 11:57 am
-
jwcooper
- Posts: 1004
- Joined: Tue May 01, 2012 9:08 pm
Re: Webhook custom header(s) - a little more security
As of now, we don't have any way to set custom headers or basic auth in action webhooks.
I'll file an issue internally and we'll see how we can do something like this. At the very least, I like the idea of being able to set a custom auth header that you can validate against.
I'll file an issue internally and we'll see how we can do something like this. At the very least, I like the idea of being able to set a custom auth header that you can validate against.
-
chadlung
- Posts: 13
- Joined: Tue Oct 04, 2022 11:57 am
Re: Webhook custom header(s) - a little more security
Thanks! Incidentally, this is one of those features that I'd be happy to pay for (plus plan). I'll be happy to test it once the ticket is ready if you need some outside folks to try it out.
-
jwcooper
- Posts: 1004
- Joined: Tue May 01, 2012 9:08 pm
Re: Webhook custom header(s) - a little more security
We've deployed this feature. We don't have documentation for it yet, but webhooks will now send a signature in the header.
Header: X-AIO-Signature
Value: t={unix timestamp}, v1={timestamp.body-string}
The v1 signature is encoded with HMAC with SHA-256 using your AIO Key.
An example of validating in ruby, is as follows:
This is free to all users.
Header: X-AIO-Signature
Value: t={unix timestamp}, v1={timestamp.body-string}
The v1 signature is encoded with HMAC with SHA-256 using your AIO Key.
An example of validating in ruby, is as follows:
Code: Select all
OpenSSL::HMAC.hexdigest('sha256', MY-AIO-KEY, "#{time}.#{request body string}")
Forum rules
If you're posting code, please make sure your code does not include your Adafruit IO Active Key or WiFi network credentials.
If you're posting code, please make sure your code does not include your Adafruit IO Active Key or WiFi network credentials.