Add auth field

[imsickofmaps]

This is a proposal to add an optional Authorization header to the webhook. Doing so would allow a higher level of security to the outbound payload. Thoughts?

[bryanhelmig]

What level of security are you looking for here? So that the receiver can verify the authenticity of the webhooks?

[imsickofmaps]

@bryanhelmig yes, so the receiver can say "when you talk to me, use this auth token so I can trust you". The flip side to increasing trust requirements is being able to easily discard anything that doesn't auth, reducing processing.

[bryanhelmig]

Pretty interesting. I'm not sure I'd advocate adding a column for that though.

Consider an alternative - a shared secret combined with hmac hashing could accomplish the same thing without needing to store extra state per subscription.

The secret could be your API key or even a static value you share with trusted partners. Not sure your requirements. Take a look at Mailgun - they do something like this.

[imsickofmaps]

Thanks for the counter suggestion, it's an interesting one. I'll have a look at the implementation and document and share the setup if it works for us.

[bryanhelmig]

Awesome! I'd be down to see some utilities added here or at least documentation if you get something working.

[pk026]

@imsickofmaps did you get anything working for authentication? please let us know.

Thanks in advance

[imsickofmaps]

@pk026 we used a solution like this in the end which re-used the auth token: https://gist.github.com/imsickofmaps/09dcb8c4aa37ed5057ce6c190d19b0ae

I recommend signing though as a better, more scaleable, solution. Check https://documentation.mailgun.com/user_manual.html?highlight=hmac#webhooks for ideas.