feat: sign webhooks for API channel and agentbots (#13892)

Account webhooks sign outgoing payloads with HMAC-SHA256, but agent bot and API inbox webhooks were delivered unsigned. This PR adds the same signing to both. Each model gets a dedicated `secret` column rather than reusing the agent bot's `access_token` (for API auth back into Chatwoot) or the API inbox's `hmac_token` (for inbound contact identity verification). These serve different trust boundaries and shouldn't be coupled — rotating a signing secret shouldn't invalidate API access or contact verification. The existing `Webhooks::Trigger` already signs when a secret is present, so the backend change is just passing `secret:` through to the jobs. Shared token logic is extracted into a `WebhookSecretable` concern included by `Webhook`, `AgentBot`, and `Channel::Api`. The frontend reuses the existing `AccessToken` component for secret display. Secrets are admin-only and excluded from enterprise audit logs. ### How to test Point an agent bot or API inbox webhook URL at a request inspector. Send a message and verify `X-Chatwoot-Signature` and `X-Chatwoot-Timestamp` headers are present. Reset the secret from settings and confirm subsequent deliveries use the new value. --------- Co-authored-by: Sojan Jose <sojan@pepalo.com>
2026-04-06 15:28:25 +05:30
parent f4d66566d0
commit 95463230cb
32 changed files with 273 additions and 28 deletions
--- a/app/views/api/v1/accounts/agent_bots/reset_secret.json.jbuilder
+++ b/app/views/api/v1/accounts/agent_bots/reset_secret.json.jbuilder
@@ -0,0 +1 @@
+json.partial! 'api/v1/models/agent_bot', formats: [:json], resource: AgentBotPresenter.new(@agent_bot)
--- a/app/views/api/v1/accounts/inboxes/reset_secret.json.jbuilder
+++ b/app/views/api/v1/accounts/inboxes/reset_secret.json.jbuilder
@@ -0,0 +1 @@
+json.partial! 'api/v1/models/inbox', formats: [:json], resource: @inbox
--- a/app/views/api/v1/models/_agent_bot.json.jbuilder
+++ b/app/views/api/v1/models/_agent_bot.json.jbuilder
@@ -7,4 +7,5 @@ json.bot_type resource.bot_type
 json.bot_config resource.bot_config
 json.account_id resource.account_id
 json.access_token resource.access_token if resource.access_token.present?
+json.secret resource.secret if !resource.system_bot? && Current.account_user&.administrator?
 json.system_bot resource.system_bot?
--- a/app/views/api/v1/models/_inbox.json.jbuilder
+++ b/app/views/api/v1/models/_inbox.json.jbuilder
@@ -113,6 +113,7 @@ end
 ## API Channel Attributes
 if resource.api?
  json.hmac_token resource.channel.try(:hmac_token) if Current.account_user&.administrator?
+  json.secret resource.channel.try(:secret) if Current.account_user&.administrator?
  json.webhook_url resource.channel.try(:webhook_url)
  json.inbox_identifier resource.channel.try(:identifier)
  json.additional_attributes resource.channel.try(:additional_attributes)
				`@@ -0,0 +1 @@`
				`json.partial! 'api/v1/models/agent_bot', formats: [:json], resource: AgentBotPresenter.new(@agent_bot)`
				`@@ -0,0 +1 @@`
				`json.partial! 'api/v1/models/inbox', formats: [:json], resource: @inbox`