search

Iridescent-CM / technovation-app

The team submission platform for the Technovation Challenge
https://technovationchallenge.org
GNU General Public License v3.0
7 stars 4 forks source link

DocuSign: HMAC security for webhook endpoint #4716

Closed shaun-technovation closed 2 months ago

shaun-technovation commented 5 months ago

Right now the webhook endpoint built in #4691 is a public endpoint, available to anyone. We should lock-down this endpoint so only DocuSign can use it.

From the documentation:

Once HMAC is enabled, special header values will be included in your Connect messages that you can use to verify:

  • That the message was sent by DocuSign Connect (authenticity).
  • That the message contents are exactly the same as they were at the time of sending (integrity).
dboyer commented 5 months ago

Hey team! Please add your planning poker estimate with Zenhub @shaun-technovation @viviancan

shaun-technovation commented 4 months ago

A few notes/links related to the work I did:

Documentation on creating and setting up the HMAC secret key in DocuSign:

A blogpost from DocuSign on manually verifying a payload with HMAC:

Documentation and code examples (including Ruby) on verifying a payload with HMAC:

I also setup Pagekite locally to test all of this:

shaun-technovation commented 4 months ago

This is on Preview. Everything should work as expected, like it is now.

The behind the scenes changes are that now when we receive a webhook payload it will get verified with our secret key (that only DocuSign and we have), if it's valid everything will happen that's happening now (the legal document will get marked as signed). If the payload is not valid, we'll log an error message, and then basically nothing will happen. This makes is so that only verified payloads from DocuSign (who has the secret key) will get processed.

dboyer commented 3 months ago

I was able to sign documents on preview and I see the signed stamp on the admin side Screen Shot 2024-06-26 at 12.59.23 PM.png