Have invalid signature transmit 404 error instead of forbidden

evendis / mandrill-rails

Webhook processing and event decoration to make using Mandrill with Rails just that much easier

MIT License

288 stars 36 forks source link

Have invalid signature transmit 404 error instead of forbidden #37

Open mockdeep opened 8 years ago

mockdeep commented 8 years ago

It would be nice if we could have our webhook render a generic 404 message to not give malicious attackers any information about what is going on.

tardate commented 8 years ago

@mockdeep that's a good idea. At the moment we probably give away TMI:

context "with invalid key" do
  ...
  expect(processor_instance).to receive(:head).with(:forbidden, :text => "Mandrill signature did not match.")

I'm open to suggestions:

just change this to a generic 404
or make this a configurable behaviour?

mockdeep commented 8 years ago

@tardate, I don't have a strong opinion one way or another. If I were to guess, I would say it's probably safe and simpler to just change it to a 404. It might be a little more confusing for someone debugging their webhook, though, so not sure if you want to maintain both options. I could see something like:

authenticate_with_mandrill_keys! 'YOUR_MANDRILL_WEBHOOK_KEY', fail_with: :not_found