feat: sign webhooks for API channel and agentbots (#13892)

Account webhooks sign outgoing payloads with HMAC-SHA256, but agent bot and API inbox webhooks were delivered unsigned. This PR adds the same signing to both. Each model gets a dedicated `secret` column rather than reusing the agent bot's `access_token` (for API auth back into Chatwoot) or the API inbox's `hmac_token` (for inbound contact identity verification). These serve different trust boundaries and shouldn't be coupled — rotating a signing secret shouldn't invalidate API access or contact verification. The existing `Webhooks::Trigger` already signs when a secret is present, so the backend change is just passing `secret:` through to the jobs. Shared token logic is extracted into a `WebhookSecretable` concern included by `Webhook`, `AgentBot`, and `Channel::Api`. The frontend reuses the existing `AccessToken` component for secret display. Secrets are admin-only and excluded from enterprise audit logs. ### How to test Point an agent bot or API inbox webhook URL at a request inspector. Send a message and verify `X-Chatwoot-Signature` and `X-Chatwoot-Timestamp` headers are present. Reset the secret from settings and confirm subsequent deliveries use the new value. --------- Co-authored-by: Sojan Jose <sojan@pepalo.com>
2026-04-06 15:28:25 +05:30
parent f4d66566d0
commit 95463230cb
32 changed files with 273 additions and 28 deletions
--- a/app/models/agent_bot.rb
+++ b/app/models/agent_bot.rb
@@ -8,6 +8,7 @@
 #  description  :string
 #  name         :string
 #  outgoing_url :string
+#  secret       :string
 #  created_at   :datetime         not null
 #  updated_at   :datetime         not null
 #  account_id   :bigint
@@ -21,6 +22,8 @@ class AgentBot < ApplicationRecord
  include AccessTokenable
  include Avatarable

+  include WebhookSecretable
+
  scope :accessible_to, lambda { |account|
    account_id = account&.id
    where(account_id: [nil, account_id])
@@ -63,3 +66,5 @@ class AgentBot < ApplicationRecord
    account.nil?
  end
 end
+
+AgentBot.include_mod_with('Audit::AgentBot')
--- a/app/models/channel/api.rb
+++ b/app/models/channel/api.rb
@@ -7,6 +7,7 @@
 #  hmac_mandatory        :boolean          default(FALSE)
 #  hmac_token            :string
 #  identifier            :string
+#  secret                :string
 #  webhook_url           :string
 #  created_at            :datetime         not null
 #  updated_at            :datetime         not null
@@ -26,6 +27,7 @@ class Channel::Api < ApplicationRecord

  has_secure_token :identifier
  has_secure_token :hmac_token
+  include WebhookSecretable
  validate :ensure_valid_agent_reply_time_window
  validates :webhook_url, length: { maximum: Limits::URL_LENGTH_LIMIT }

--- a/app/models/concerns/webhook_secretable.rb
+++ b/app/models/concerns/webhook_secretable.rb
@@ -0,0 +1,13 @@
+module WebhookSecretable
+  extend ActiveSupport::Concern
+
+  included do
+    has_secure_token :secret
+    encrypts :secret if Chatwoot.encryption_configured?
+  end
+
+  def reset_secret!
+    regenerate_secret
+    reload
+  end
+end
--- a/app/models/webhook.rb
+++ b/app/models/webhook.rb
@@ -22,8 +22,7 @@ class Webhook < ApplicationRecord
  belongs_to :account
  belongs_to :inbox, optional: true

-  has_secure_token :secret
-  encrypts :secret if Chatwoot.encryption_configured?
+  include WebhookSecretable

  validates :account_id, presence: true
  validates :url, uniqueness: { scope: [:account_id] }, format: URI::DEFAULT_PARSER.make_regexp(%w[http https])