Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Mailer][Notifier] Add webhooks signature verification on Sweego bridges #58651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 6, 2024
Merged

[Mailer][Notifier] Add webhooks signature verification on Sweego bridges #58651

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions src/Symfony/Component/Mailer/Bridge/Sweego/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,33 @@ MAILER_DSN=sweego+api://API_KEY@default
where:
- `API_KEY` is your Sweego API Key

Webhook
-------

Configure the webhook routing:

```yaml
framework:
webhook:
routing:
sweego_mailer:
service: mailer.webhook.request_parser.sweego
secret: '%env(SWEEGO_WEBHOOK_SECRET)%'
```

And a consumer:

```php
#[AsRemoteEventConsumer(name: 'sweego_mailer')]
class SweegoMailEventConsumer implements ConsumerInterface
{
public function consume(RemoteEvent|AbstractMailerEvent $event): void
{
// your code
}
}
```

Sponsor
-------

Expand Down
15 changes: 0 additions & 15 deletions src/Symfony/Component/Mailer/Bridge/Sweego/Tests/Webhook/Fixtures/sent.json
View file
Open in desktop

This file was deleted.

12 changes: 0 additions & 12 deletions src/Symfony/Component/Mailer/Bridge/Sweego/Tests/Webhook/Fixtures/sent.php
View file
Open in desktop

This file was deleted.

3 changes: 3 additions & 0 deletions src/Symfony/Component/Mailer/Bridge/Sweego/Tests/Webhook/SweegoRequestParserTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ protected function createRequest(string $payload): Request
{
return Request::create('/', 'POST', [], [], [], [
'Content-Type' => 'application/json',
'HTTP_webhook-id' => '9f26b9d0-13d7-410c-ba04-5019cd30e6d0',
'HTTP_webhook-timestamp' => '1723737959',
'HTTP_webhook-signature' => 'W+fm4VPshCGjuT0HxyV00QEbFitZd2Rdvx82bWM7VXc=',
], $payload);
}
}
40 changes: 40 additions & 0 deletions ...ny/Component/Mailer/Bridge/Sweego/Tests/Webhook/SweegoWrongSignatureRequestParserTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <[email protected]>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Component\Mailer\Bridge\Sweego\Tests\Webhook;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Mailer\Bridge\Sweego\RemoteEvent\SweegoPayloadConverter;
use Symfony\Component\Mailer\Bridge\Sweego\Webhook\SweegoRequestParser;
use Symfony\Component\Webhook\Client\RequestParserInterface;
use Symfony\Component\Webhook\Exception\RejectWebhookException;
use Symfony\Component\Webhook\Test\AbstractRequestParserTestCase;

class SweegoWrongSignatureRequestParserTest extends AbstractRequestParserTestCase
{
protected function createRequestParser(): RequestParserInterface
{
$this->expectException(RejectWebhookException::class);
$this->expectExceptionMessage('Invalid signature.');

return new SweegoRequestParser(new SweegoPayloadConverter());
}

protected function createRequest(string $payload): Request
{
return Request::create('/', 'POST', [], [], [], [
'Content-Type' => 'application/json',
'HTTP_webhook-id' => '9f26b9d0-13d7-410c-ba04-5019cd30e6d0',
'HTTP_webhook-timestamp' => '1723737959',
'HTTP_webhook-signature' => 'wrong_signature',
], $payload);
}
}
20 changes: 20 additions & 0 deletions src/Symfony/Component/Mailer/Bridge/Sweego/Webhook/SweegoRequestParser.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

use Symfony\Component\HttpFoundation\ChainRequestMatcher;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestMatcher\HeaderRequestMatcher;
use Symfony\Component\HttpFoundation\RequestMatcher\IsJsonRequestMatcher;
use Symfony\Component\HttpFoundation\RequestMatcher\MethodRequestMatcher;
use Symfony\Component\HttpFoundation\RequestMatcherInterface;
Expand All @@ -34,6 +35,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
return new ChainRequestMatcher([
new MethodRequestMatcher('POST'),
new IsJsonRequestMatcher(),
new HeaderRequestMatcher(['webhook-id', 'webhook-timestamp', 'webhook-signature']),
]);
}

Expand All @@ -51,10 +53,28 @@ protected function doParse(Request $request, #[\SensitiveParameter] string $secr
throw new RejectWebhookException(406, 'Payload is malformed.');
}

$this->validateSignature($request, $secret);

try {
return $this->converter->convert($content);
} catch (ParseException $e) {
throw new RejectWebhookException(406, $e->getMessage(), $e);
}
}

private function validateSignature(Request $request, string $secret): void
{
$contentToSign = \sprintf(
'%s.%s.%s',
$request->headers->get('webhook-id'),
$request->headers->get('webhook-timestamp'),
$request->getContent(),
);

$computedSignature = base64_encode(hash_hmac('sha256', $contentToSign, base64_decode($secret), true));

if (!hash_equals($computedSignature, $request->headers->get('webhook-signature'))) {
throw new RejectWebhookException(403, 'Invalid signature.');
}
}
}
27 changes: 27 additions & 0 deletions src/Symfony/Component/Notifier/Bridge/Sweego/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,33 @@ $sms->options($options);
$texter->send($sms);
```

Webhook
-------

Configure the webhook routing:

```yaml
framework:
webhook:
routing:
sweego_sms:
service: notifier.webhook.request_parser.sweego
secret: '%env(SWEEGO_WEBHOOK_SECRET)%'
```

And a consumer:

```php
#[AsRemoteEventConsumer(name: 'sweego_sms')]
class SweegoSmsEventConsumer implements ConsumerInterface
{
public function consume(RemoteEvent|SmsEvent $event): void
{
// your code
}
}
```

Sponsor
-------

Expand Down
11 changes: 11 additions & 0 deletions src/Symfony/Component/Notifier/Bridge/Sweego/Tests/Webhook/SweegoRequestParserTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

namespace Symfony\Component\Notifier\Bridge\Sweego\Tests\Webhook;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Notifier\Bridge\Sweego\Webhook\SweegoRequestParser;
use Symfony\Component\Webhook\Client\RequestParserInterface;
use Symfony\Component\Webhook\Test\AbstractRequestParserTestCase;
Expand All @@ -21,4 +22,14 @@ protected function createRequestParser(): RequestParserInterface
{
return new SweegoRequestParser();
}

protected function createRequest(string $payload): Request
{
return Request::create('/', 'POST', [], [], [], [
'Content-Type' => 'application/json',
'HTTP_webhook-id' => 'a5ccc627-6e43-4012-bb29-f1bfe3a3d13e',
'HTTP_webhook-timestamp' => '1725290740',
'HTTP_webhook-signature' => 'k7SwzHXZqVKNvCpp6HwGS/5aDZ6NraYnKmVkBdx7MHE=',
], $payload);
}
}
39 changes: 39 additions & 0 deletions .../Component/Notifier/Bridge/Sweego/Tests/Webhook/SweegoWrongSignatureRequestParserTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <[email protected]>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Component\Notifier\Bridge\Sweego\Tests\Webhook;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Notifier\Bridge\Sweego\Webhook\SweegoRequestParser;
use Symfony\Component\Webhook\Client\RequestParserInterface;
use Symfony\Component\Webhook\Exception\RejectWebhookException;
use Symfony\Component\Webhook\Test\AbstractRequestParserTestCase;

class SweegoWrongSignatureRequestParserTest extends AbstractRequestParserTestCase
{
protected function createRequestParser(): RequestParserInterface
{
$this->expectException(RejectWebhookException::class);
$this->expectExceptionMessage('Invalid signature.');

return new SweegoRequestParser();
}

protected function createRequest(string $payload): Request
{
return Request::create('/', 'POST', [], [], [], [
'Content-Type' => 'application/json',
'HTTP_webhook-id' => 'a5ccc627-6e43-4012-bb29-f1bfe3a3d13e',
'HTTP_webhook-timestamp' => '1725290740',
'HTTP_webhook-signature' => 'wrong_signature',
], $payload);
}
}
20 changes: 20 additions & 0 deletions src/Symfony/Component/Notifier/Bridge/Sweego/Webhook/SweegoRequestParser.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

use Symfony\Component\HttpFoundation\ChainRequestMatcher;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestMatcher\HeaderRequestMatcher;
use Symfony\Component\HttpFoundation\RequestMatcher\IsJsonRequestMatcher;
use Symfony\Component\HttpFoundation\RequestMatcher\MethodRequestMatcher;
use Symfony\Component\HttpFoundation\RequestMatcherInterface;
Expand All @@ -32,6 +33,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
return new ChainRequestMatcher([
new MethodRequestMatcher('POST'),
new IsJsonRequestMatcher(),
new HeaderRequestMatcher(['webhook-id', 'webhook-timestamp', 'webhook-signature']),
]);
}

Expand All @@ -43,6 +45,8 @@ protected function doParse(Request $request, #[\SensitiveParameter] string $secr
throw new RejectWebhookException(406, 'Payload is malformed.');
}

$this->validateSignature($request, $secret);

$name = match ($payload['event_type']) {
'sms_sent' => SmsEvent::DELIVERED,
default => throw new RejectWebhookException(406, \sprintf('Unsupported event "%s".', $payload['event'])),
Expand All @@ -53,4 +57,20 @@ protected function doParse(Request $request, #[\SensitiveParameter] string $secr

return $event;
}

private function validateSignature(Request $request, string $secret): void
{
$contentToSign = \sprintf(
'%s.%s.%s',
$request->headers->get('webhook-id'),
$request->headers->get('webhook-timestamp'),
$request->getContent(),
);

$computedSignature = base64_encode(hash_hmac('sha256', $contentToSign, base64_decode($secret), true));

if (!hash_equals($computedSignature, $request->headers->get('webhook-signature'))) {
throw new RejectWebhookException(403, 'Invalid signature.');
}
}
}
3 changes: 3 additions & 0 deletions src/Symfony/Component/Notifier/Bridge/Sweego/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@
"require-dev": {
"symfony/webhook": "^6.4|^7.0"
},
"conflict": {
"symfony/http-foundation": "<7.1"
},
"autoload": {
"psr-4": { "Symfony\\Component\\Notifier\\Bridge\\Sweego\\": "" },
"exclude-from-classmap": [
Expand Down
Loading