add endpoint to generate hmac hash for novu users securely

99475689 · Gregor Schulz · 3253308a · 99475689 · 99475689 · 99475689
Commit 99475689 authored 1 year ago by Gregor Schulz
--- a/.envrc.local.template
+++ b/.envrc.local.template
@@ -18,7 +18,6 @@ backendUrl() {
  fi
 }

-export OKUNA_NOTIFICATION_WEBHOOK_URL=http://127.0.0.1:8000/notification-webhook
 export OKUNA_DOMAIN=http://127.0.0.1:8000
 export OKUNA_URL=http://127.0.0.1:8000/graphql


--- a/oathkeeper/rules-local.yaml
+++ b/oathkeeper/rules-local.yaml
@@ -101,20 +101,21 @@
      config:
        headers:
          X-Holi-User-Name: '{{ if and .Extra (index .Extra "identity")}}{{ .Extra.identity.traits.name }}{{ else }}anonymous{{ end }}'
- id: notification-webhook
+- id: novu-credentials
  version: v0.40.3
  upstream:
    url: http://host.docker.internal:4000
  match:
-    url: http://<.*>:4455/notification-webhook
+    url: http://<.*>:4455/api/novu/credentials
    methods:
-      - POST
+      - GET
  authenticators:
-    - handler: anonymous
+    - handler: cookie_session
+    - handler: bearer_token
  authorizer:
    handler: allow
  mutators:
-    - handler: noop
+    - handler: header
 - id: ory-webhook
  version: v0.40.3
  upstream:

--- a/oathkeeper/rules-production.yaml
+++ b/oathkeeper/rules-production.yaml
@@ -101,20 +101,21 @@
      config:
        headers:
          X-Holi-User-Name: '{{ if and .Extra (index .Extra "identity")}}{{ .Extra.identity.traits.name }}{{ else }}anonymous{{ end }}'
- id: notification-webhook
+- id: novu-credentials
  version: v0.40.3
  upstream:
    url: http://localhost:4000
  match:
-    url: https://production.unified.apis.holi.social/notification-webhook
+    url: https://production.unified.apis.holi.social/api/novu/credentials
    methods:
-      - POST
+      - GET
  authenticators:
-    - handler: anonymous
+    - handler: cookie_session
+    - handler: bearer_token
  authorizer:
    handler: allow
  mutators:
-    - handler: noop
+    - handler: header
 - id: ory-webhook
  version: v0.40.3
  upstream:

--- a/oathkeeper/rules-staging.yaml
+++ b/oathkeeper/rules-staging.yaml
@@ -101,20 +101,21 @@
      config:
        headers:
          X-Holi-User-Name: '{{ if and .Extra (index .Extra "identity")}}{{ .Extra.identity.traits.name }}{{ else }}anonymous{{ end }}'
- id: notification-webhook
+- id: novu-credentials
  version: v0.40.3
  upstream:
    url: http://localhost:4000
  match:
-    url: https://staging.unified.apis.holi.social/notification-webhook
+    url: https://staging.unified.apis.holi.social/api/novu/credentials
    methods:
-      - POST
+      - GET
  authenticators:
-    - handler: anonymous
+    - handler: cookie_session
+    - handler: bearer_token
  authorizer:
    handler: allow
  mutators:
-    - handler: noop
+    - handler: header
 - id: ory-webhook
  version: v0.40.3
  upstream:

--- a/server.ts
+++ b/server.ts
@@ -85,31 +85,18 @@ app.get('/video-call/:roomName', (req, res) => {
  res.redirect(process.env.VIDEOCALL_URL + '/' + roomName + queryParameter)
 })

-// Notification webhook receiver to validate the incoming request using HMAC and forward it to okuna to process it.
-const novuSignature = createHmac('sha256', process.env.NOVU_API_KEY)
-  .update(process.env.NOVU_ENVIRONMENT_ID)
-  .digest('hex')
-
-app.post('/notification-webhook', express.json(), async (req, res) => {
-  const hmac = req.headers['nv-hmac-256']
-  if (hmac !== novuSignature) {
+app.get('/api/novu/credentials', async (req, res) => {
+  const userId = req.headers['x-holi-user-id']
+  if (!userId || Array.isArray(userId)) {
    res.status(401).send('Unauthorized')
    return
  }

-  const { body } = req
-  const response = await fetch(`${process.env.OKUNA_NOTIFICATION_WEBHOOK_URL}`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify(body),
-  })
-
-  if (response.status === 200) {
-    res.status(200).send(await response.json())
-  } else {
-    res.status(response.status).send({ error: await response.text() })
+  try {
+    const usersHmacHash = createHmac('sha256', process.env.NOVU_API_KEY).update(userId).digest('hex')
+    res.status(200).send({ hmacHash: usersHmacHash })
+  } catch (e) {
+    res.status(400).send("Couldn't generate the users credentials.")
  }
 })


--- a/terraform/environments/vars.tf
+++ b/terraform/environments/vars.tf
@@ -11,7 +11,6 @@ locals {
  goodnews_api_url     = "https://${local.environment == "production" ? "production" : "staging"}.${data.terraform_remote_state.holi_goodnews_api_common_state.outputs.dns_goodnews_api_domain}/graphql"
  geo_api_url          = "https://${local.environment == "production" ? "production" : "staging"}.${data.terraform_remote_state.holi_geo_api_common_state.outputs.dns_geo_api_domain}/graphql"
  volunteering_api_url = "https://${local.environment == "production" ? "production" : "staging"}.${data.terraform_remote_state.holi_volunteering_api_common_state.outputs.dns_volunteering_api_domain}/graphql"
-  okuna_webhook_url    = "https://${local.environment == "production" ? "production" : "staging"}.${data.terraform_remote_state.holi_okuna_common_state.outputs.dns_okuna_domain}/notification-webhook"
 }

 output "okuna_domain" {
@@ -37,7 +36,3 @@ output "geo_api_url" {
 output "volunteering_api_url" {
  value = local.volunteering_api_url
 }
-
-output "okuna_webhook_url" {
-  value = local.okuna_webhook_url
-}