xmpp-webhook icon indicating copy to clipboard operation
xmpp-webhook copied to clipboard

Published 20 hours ago verified publisher icon xmppo

Tokenbased authentification for slack-like webhooks?

Open poVoq opened this issue 3 years ago • 3 comments

Hello,

I am interested in using this with Matterbridge, which recently added a way to relay messages to XMPP (spoofing users) via this Prosody module: https://modules.prosody.im/mod_slack_webhooks.html

But one of the downsides is that there is no authentication, so you can not expose this webhook endpoint anywhere.

Does this support some sort of tokenbased authentication that can be added to the webhook url?

Also, can it add messages to a MUC?

Thanks!

Edit: or is this actually a stupid question as this isn't a component and just relays messages as a bot? I guess so :(

poVoq avatar Jun 12 '21 14:06 poVoq

Hmm looking at this guess not: https://github.com/tmsmr/xmpp-webhook/blob/master/parser/slack-compatible.go

So anyone who knows the URL can post random messages via this bot unless it it used in a local network only?

poVoq avatar Jun 16 '21 02:06 poVoq

Hey @poVoq. I'm not sure about your use case. Do you want to call webhooks using Matterbridge to send XMPP messages? If yes, this would be possible with a new handler (No big deal). You can't send messages to MUC's at the moment. But i agree, that would be useful - i'll check what has to be done for that. I aim to keep this project as small as possible, that's why there is no authentication included. To be honest, i think it's better to use a proxy for (basic-) authentication (architecture-wise), e.g.:

  • https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
  • https://doc.traefik.io/traefik/middlewares/basicauth/
  • https://caddyserver.com/docs/caddyfile/directives/basicauth On the other side, implementing basic auth for the HTTP-endpoints of the webhook would be pretty straightforward. Would you prefer that? For my use cases, the webhook always runs on the machines (bound to localhost) which are generating alerts, so i never required any sort of authentication...

tmsmr avatar Jun 16 '21 17:06 tmsmr

The idea with Matterbridge is basically scrapped since I understood this appears as a bot account in XMPP (which Matterbridge supports anyways) and not as a more powerful component.

But I would still like to use this to send notifications from a Flarum.org forum via the Slack-like webhook support to a XMPP Muc. Preferrably with some shared secret so that the webhook can be less easily abused.

poVoq avatar Jun 16 '21 18:06 poVoq