Open mockdeep opened 8 years ago
@mockdeep that's a good idea. At the moment we probably give away TMI:
context "with invalid key" do
...
expect(processor_instance).to receive(:head).with(:forbidden, :text => "Mandrill signature did not match.")
I'm open to suggestions:
@tardate, I don't have a strong opinion one way or another. If I were to guess, I would say it's probably safe and simpler to just change it to a 404. It might be a little more confusing for someone debugging their webhook, though, so not sure if you want to maintain both options. I could see something like:
authenticate_with_mandrill_keys! 'YOUR_MANDRILL_WEBHOOK_KEY', fail_with: :not_found
It would be nice if we could have our webhook render a generic 404 message to not give malicious attackers any information about what is going on.