Implement webhook validation

[mickmister]

Zoom has changed how their webhook setup works, and requires some logic on our end to validate the webhook is setup properly. This involves:

• Validating the webhook during setup
• Verifying the webhook's signature during webhook events

The webhook must be validated before Zoom's interface will allow the admin to save the webhook configuration in Zoom's app setup UI. This does not affect existing setups of the plugin, but it will affect any new setup, and any instance of an admin wanting to update the webhook secret or change the events associated with the webhook configuration.

Setting up the webhook for validation requires us to store a new Secret Token from Zoom's webhook configuration UI. If this value is not set, we simply skip the "signature verification" step when processing webhook events. We technically don't need to do this step, because Zoom has no way of verifying this is occurring on subsequent webhook events, and because we are already using our own secret for the webhook. Either way, it's best to comply with what Zoom is asking for, and it adds another layer of security provided by Zoom.

[theAkito]

So, does that mean, I can fake verify it & then keep using it in the real scenario? Or, what is the workaround here?

---

Tested it with https://github.com/zoom/webhook-sample-node.js, but it does not work, because the URL needs to stay the same.

Which means, this feature in this Mattermost plugin is broken.

[mickmister]

Hi @theAkito, this feature is now fixed and released as v1.6.2

[theAkito]

Hi @theAkito, this feature is now fixed and released as v1.6.2

Yes, I saw, thank you very much.