iframe-proxy

victoreduardo · 2025-03-19T20:53:49Z

Objetivo:

Validar se a mensagem está sendo enviada por um remetente autentico, evitando que requisições maliciosas utilizem a URL para enviar informações fraudulentas. Para isso, ao enviar a requisição para a URL do webhook, adicionamos uma camada de autenticação utilizando JWT token. Para quem utiliza n8n, por exemplo, conseguirá adicionar a autenticação por JWT no webhook, protegendo-o de requisições maliciosas.

Mudanças:

instala a dependencia jsonwebtoken para gerar o token
Quando hover a chave jwt_key dentro do campo headers da tabela Webhooks, então utilizaremos essa key para gerar o JWT token e encaminha-lo via requisição.

Summary by Sourcery

Enhance webhook security by adding JWT authentication. This ensures that webhook requests originate from an authenticated source, preventing malicious requests and fraudulent information.

Enhancements:

Implement JWT token generation and validation for webhook requests, using a 'jwt_key' in the webhook headers to generate a JWT token and include it in the Authorization header.
Add labels to the chat model.

sourcery-ai · 2025-03-19T20:53:54Z

Reviewer's Guide by Sourcery

This pull request introduces JWT authentication for webhooks, enhances the Chat model with labels, adds a unique constraint to the Chat model, and includes deployment configuration files.

Sequence diagram for Webhook JWT Authentication

sequenceDiagram
  participant Client
  participant WebhookController
  participant JWT
  participant Webhook

  Client->>WebhookController: Sends request to webhook URL with headers (including jwt_key)
  activate WebhookController
  WebhookController->>WebhookController: Checks for jwt_key in headers
  alt jwt_key exists
    WebhookController->>JWT: generateJwtToken(jwt_key)
    activate JWT
    JWT->>JWT: Sign payload with jwt_key using HS256
    JWT-->>WebhookController: Returns JWT token
    deactivate JWT
    WebhookController->>WebhookController: Adds Authorization header with JWT token
    WebhookController->>WebhookController: Removes jwt_key from headers
  end
  WebhookController->>Webhook: Sends request to webhook with updated headers (including Authorization)
  activate Webhook
  Webhook-->>WebhookController: Returns response
  deactivate Webhook
  WebhookController-->>Client: Returns response
  deactivate WebhookController

Updated class diagram for Chat model

classDiagram
  class Chat {
    instanceId: string
    remoteJid: string
    createdAt: DateTime
    labels: string[]
  }
  note for Chat "Added labels attribute to Chat model"

File-Level Changes

Change	Details	Files
Implements JWT authentication for webhook requests.	Adds logic to generate a JWT token if a `jwt_key` is present in the webhook headers. Includes `iat` (issued at), `exp` (expiration), `app`, and `action` in the JWT payload. Sets the token expiration time to 10 minutes. Adds an `Authorization` header with the JWT token to the webhook request. Removes the `jwt_key` from the headers before sending the request. Adds error handling for JWT generation failures. Adds `jsonwebtoken` as a project dependency.	`src/api/integrations/event/webhook/webhook.controller.ts` `package.json`
Adds labels to the Chat model.	Adds `labels` field to the Chat model in the database query. Includes `labels` in the mapped results for contacts.	`src/api/services/channel.service.ts`
Adds a unique constraint to the Chat model.	Adds a unique index on the `instanceId` and `remoteJid` columns of the `Chat` table.	`prisma/postgresql-migrations/20250314220553_add_unique_chat/migration.sql`
Adds deploy configuration file.	Adds a `deploy.yml` file to configure the deployment process.	`config/deploy.yml`
Adds kamal secrets file.	Adds a `.kamal/secrets` file to store sensitive information.	`.kamal/secrets`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!
Generate a plan of action for an issue: Comment @sourcery-ai plan on
an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

sourcery-ai

Hey @victoreduardo - I've reviewed your changes - here's some feedback:

Overall Comments:

Consider adding a configuration option for the JWT expiration time, instead of hardcoding it to 10 minutes.
The addition of the jsonwebtoken dependency should be noted in the description.

Here's what I looked at during the review

🟡 General issues: 1 issue found
🟢 Security: all looks good
🟢 Testing: all looks good
🟢 Complexity: all looks good
🟢 Documentation: all looks good

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

…eader record

bergpinheiro · 2025-03-20T13:39:02Z

Se possivel deixar esse tipo de autenticação opcional. Nem todo mundo vai usar.

victoreduardoss · 2025-03-20T13:46:28Z

Se possivel deixar esse tipo de autenticação opcional. Nem todo mundo vai usar.

a autenticação só é aplicada se existir jwt_key dentro de headers. Mesmo gerando a autenticação, ela só será utilizada se o destinatário (webhook URL) estiver habilitado para verificar a autenticação.

DavidsonGomes · 2025-03-26T13:00:16Z

Ajuste os conflitos e lint por favor, estava para a branch main, o correto é para a develop, rode o compando npm run lint

victoreduardo · 2025-05-03T12:42:50Z

sourcery-ai Bot reviewed Mar 19, 2025

View reviewed changes

Comment thread src/api/integrations/event/webhook/webhook.controller.ts

victoreduardo changed the title ~~Tornando Webhook mais seguro com JWT~~ Tornando Webhook mais seguro com JWT token Mar 19, 2025

sending JWT token when sending webhook if jwt_key exists in webhook h…

cee2bc4

…eader record

victoreduardo force-pushed the victoreduardos/jwt-webhook branch from 4b25e84 to cee2bc4 Compare March 19, 2025 21:04

DavidsonGomes changed the base branch from main to develop March 26, 2025 12:58

victoreduardo added 2 commits May 3, 2025 09:40

Merge branch 'develop' into victoreduardos/jwt-webhook

b064e51

lint

95827a2

DavidsonGomes merged commit d1a28ea into EvolutionAPI:develop May 10, 2025
1 check passed

Sunbelt Computer Software

PL/B Language Development and Support

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tornando Webhook mais seguro com JWT token#1318

Tornando Webhook mais seguro com JWT token#1318
DavidsonGomes merged 3 commits intoEvolutionAPI:developfrom
victoreduardo:victoreduardos/jwt-webhook

victoreduardo commented Mar 19, 2025 •

edited

Loading

Uh oh!

sourcery-ai Bot commented Mar 19, 2025 •

edited

Loading

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai Bot left a comment

Uh oh!

Uh oh!

bergpinheiro commented Mar 20, 2025

Uh oh!

victoreduardoss commented Mar 20, 2025 •

edited

Loading

Uh oh!

DavidsonGomes commented Mar 26, 2025

Uh oh!

victoreduardo commented May 3, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Sunbelt Computer Software

PL/B Language Development and Support

Conversation

victoreduardo commented Mar 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Objetivo:

Mudanças:

Summary by Sourcery

Uh oh!

sourcery-ai Bot commented Mar 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide by Sourcery

Sequence diagram for Webhook JWT Authentication

Updated class diagram for Chat model

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

bergpinheiro commented Mar 20, 2025

Uh oh!

victoreduardoss commented Mar 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

DavidsonGomes commented Mar 26, 2025

Uh oh!

victoreduardo commented May 3, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

victoreduardo commented Mar 19, 2025 •

edited

Loading

sourcery-ai Bot commented Mar 19, 2025 •

edited

Loading

victoreduardoss commented Mar 20, 2025 •

edited

Loading