authenticate_with_webhook_key fails for app enforcing HTTPS through Cloudflare's Flexible SSL

[reichertm]

There's quite a few variables that need to coincide for the issue to surface:

1. App hosted on Heroku without SSL enabled.
2. A Rack middleware in the app that redirects all request to app-name.herokuapp.com -> https://www.app-name.com
3. The https://www.app-name.com is set up through Cloudflare's Flexible SSL (traffic from the internet to Cloudflare goes over SSL but traffic from Cloudflare to Heroku goes in plain HTTP).

In the given set up the authenticate_with_webhook_key filter always fails as the request.original_url used to calculate the expected signature gives the http://... URL while Mandrill sends requests to https://... URL.

For now I solved the issue by writing a replacement for the authenticate_with_webhook_key method that passes the 'correct' URL to Mandrill::WebHook::Processor.authentic?().

Also if someone doesn't mind his app being accessible through *.herokuapp.com URL, he could point the webhook to that URL and it would work fine.

[tardate]

Hi @reichertm - interesting scenario. Thanks for documenting the workaround. I'm not sure if we should change the authenticate_with_webhook_key implementation, do you?

Thinking about it a bit, I wonder if the proxied message should strictly be considered "authenticated", as conceivably this could represent a man-in-the-middle exposure.

I'll close this with no action for now. Let me know if you have ideas on changing the code though..

[thehappycoder]

I didn't read this post thoroughly but I solved the problem I had. I have rails behind nginx+ssl. In order for authenticate_with_webhook_key to work, I use https:// at mandrill and proxy_set_header X-Forwarded-Proto https; at nginx