Add ability to "sign" payloads on event triggers

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.

https://hasura.io

Apache License 2.0

31.11k stars 2.77k forks source link

Add ability to "sign" payloads on event triggers #2416

Open jasonmccallister opened 5 years ago

jasonmccallister commented 5 years ago

I was looking at using this Laravel package which allows a Laravel application to receive signed payloads. The default signature validator will check that the entire payload is checked using this line:

$computedSignature = hash_hmac('sha256', $request->getContent(), $signingSecret);

We can implement our own custom validator, that just checks for a required header but it would be great to add the ability to sign a payload to ensure its not tampered with!

napalm272 commented 5 years ago

This seems extremely important. For those of you who are using hasura events in production, how do you make sure it's actually coming from hasura, and the payload has not been tempered with?

jasonmccallister commented 5 years ago

@napalm272 when setting up an event trigger, you can set headers by environment variables.

We usually have a key per environment that we rotate on a regular basis. The application that receives the event trigger will reject if the headers and keys don't match. It is really up to you on how you want to implement event triggers.

This feature request is asking to hash the entire event trigger payload. Given the example payload here, if we were to use an online tool to sign the example payload. The signed hash would look like this:

5dc275454c1622a5a89362833e5f132e38e8ca1c08e2d696c7a464e5f8531cee

The receiving webhook would verify that string against the key it has, so if it was tampered with, the app could ignore the request.

This is the same approach that JWT takes and makes a lot of sense in a distributed world of applications. Hope that clarifies it a little!

calvinl commented 5 years ago

Big thumbs up for this feature. I've been trying to figure out if there was any way to ensure that the event trigger payloads can be verified, but as it is right now there's no way to tell.

As for right now, the only way I can think of is to have the receiving webhook whitelist the hasura instance by IP or something.

EDIT: I'm realizing that using HTTPS would mostly negate this issue, though that's not always available in every situation. I still think signing a payload would be the most convenient way forward.

osseonews commented 3 years ago

Thumbs up too for this feature. Please allow creation of signed payload for events. Right now, the only way a webhook can check that a event is coming from Hasura is to create a custom header in Hasura with some sort of secret. This is ultimately not very secure. Would be much better if Hasura hashed the payload with a secret and then the payload can be verified by the webhook on the receiving server by decoding the hash with the secret.

elephant3 commented 2 years ago

Any progress? This feature request shall be prioritized as it's security-related

MaxSchilling commented 1 year ago

+1 We are not using the feature due to this issue.