Problem:
Currently the webhook communication between the BPP-Client and BPP Software is not secure. This is usually not an issue where the channel has other protection such as virtual private network. However in BPP software that is publicly accessible, this method will require whitelisting etc on the BPP Software side.
Requirement:
Add an optional shared key authentication mechanism (such as HMAC- Hash based message authentication code) to the communication between the BPP-Client and BPP SW. Though we have public key authentication in other communications (such as between BAP and BPP), here since both BPP and BPP-PS are installed and controlled by same organisation, shared key authentication seems sufficient.
Add a configuration key useHMACForWebhook which will be default false and assumed false if absent.
Add a configuration key sharedKeyForWebhookHMAC which will be default empty and assumed empty is absent.
If the useHMACForWebhook is true and if the sharedKeyForWebhookHMAC has a valid secret key, the content of the message is hashed, the signature calculated and sent in the Authorization header.
In all other cases including current configuration (where both the above keys are missing), the webhook message is sent without this header.
The BPP Software with the shared key can authenticate the request.
em-abee
commented
3 months ago
Problem: Currently the webhook communication between the BPP-Client and BPP Software is not secure. This is usually not an issue where the channel has other protection such as virtual private network. However in BPP software that is publicly accessible, this method will require whitelisting etc on the BPP Software side.
Requirement:
The BPP Software with the shared key can authenticate the request.