search

Commit451 / skyhook

Parses webhooks and forwards them in the proper format to Discord.
https://commit451.github.io/skyhook-web
MIT License
367 stars 95 forks source link

Intercom Support (with signed messages) #114

Open themetalfleece opened 5 years ago

themetalfleece commented 5 years ago

Intercom has webhooks for new events (i.e. messages, new users) - reference. My issue is that it's better for Intercom messages to be signed with a hub secret string. This is set in the Intercom Webhook dashboard and must be provided to the app to validate the messages. Would it be possible for that string to be set when creating a webhook with skyhook?

I have already created a node.js app to forward messages from Intercom to Discord - https://github.com/themetalfleece/intercom-discord Validate signature script - https://github.com/themetalfleece/intercom-discord/blob/master/helpers/validateSignature.js

hytromo commented 5 years ago

As far as I can see from skyhook's code, it doesn't have any kind of storage in the backend to save our settings. When you generate a link, it just replaces it with its own origin and appends the service at the end, e.g.

https://discordapp.com/api/webhooks/WEBHOOK_HASH becomes skyhook.glitch.me/api/webhooks/WEBHOOK_HASH/bitbucket

When skyhook receives a POST request to a url like the above, it just passes it to the appropriate service data parser (here bitbucket) and then posts to the discord webhook hash. All this information is in the url of the post request. So the URL of the post request contains data on

  1. How should I read the body of this post request (e.g. bitbucket)
  2. Where should I forward this message to? (discord webhook hash)

So, the easiest way to integrate intercom supporting hub secret is to literally have the hub secret in the URL, changing a bit the way that (1) works, e.g. providing additional context (the hub secret).

This requires that the POST request between the 2 services are made using HTTPS, because HTTPS does not reveal the URL. There may be other security implications here that I'm unaware of, though.

So, in short I imagine this working in the following way:

  1. Skyhook UI provides another optional field for intercom that is the hub_secret
  2. It generates a URL like https://skyhook.glitch.me/api/webhooks/HASH/intercom:HUB_SECRET
  3. When intercom POSTs there, it knows how to decode the message
  4. It forwards the POST to the discord webhook

Also someone may make the argument that having the hub secret in the url makes it way too accessible, which IMO is a valid argument.