feat: sign webhooks for API channel and agentbots (#13892)

Account webhooks sign outgoing payloads with HMAC-SHA256, but agent bot and API inbox webhooks were delivered unsigned. This PR adds the same signing to both. Each model gets a dedicated `secret` column rather than reusing the agent bot's `access_token` (for API auth back into Chatwoot) or the API inbox's `hmac_token` (for inbound contact identity verification). These serve different trust boundaries and shouldn't be coupled — rotating a signing secret shouldn't invalidate API access or contact verification. The existing `Webhooks::Trigger` already signs when a secret is present, so the backend change is just passing `secret:` through to the jobs. Shared token logic is extracted into a `WebhookSecretable` concern included by `Webhook`, `AgentBot`, and `Channel::Api`. The frontend reuses the existing `AccessToken` component for secret display. Secrets are admin-only and excluded from enterprise audit logs. ### How to test Point an agent bot or API inbox webhook URL at a request inspector. Send a message and verify `X-Chatwoot-Signature` and `X-Chatwoot-Timestamp` headers are present. Reset the secret from settings and confirm subsequent deliveries use the new value. --------- Co-authored-by: Sojan Jose <sojan@pepalo.com>
2026-04-06 15:28:25 +05:30
parent f4d66566d0
commit 95463230cb
32 changed files with 273 additions and 28 deletions
--- a/db/migrate/20260324070820_add_secret_to_agent_bots.rb
+++ b/db/migrate/20260324070820_add_secret_to_agent_bots.rb
@@ -0,0 +1,5 @@
+class AddSecretToAgentBots < ActiveRecord::Migration[7.1]
+  def change
+    add_column :agent_bots, :secret, :string
+  end
+end
--- a/db/migrate/20260324070828_add_secret_to_channel_api.rb
+++ b/db/migrate/20260324070828_add_secret_to_channel_api.rb
@@ -0,0 +1,5 @@
+class AddSecretToChannelApi < ActiveRecord::Migration[7.1]
+  def change
+    add_column :channel_api, :secret, :string
+  end
+end
--- a/db/migrate/20260324070835_backfill_agent_bot_and_channel_api_secrets.rb
+++ b/db/migrate/20260324070835_backfill_agent_bot_and_channel_api_secrets.rb
@@ -0,0 +1,15 @@
+class BackfillAgentBotAndChannelApiSecrets < ActiveRecord::Migration[7.1]
+  def up
+    AgentBot.where(secret: nil).find_each do |agent_bot|
+      agent_bot.update!(secret: SecureRandom.urlsafe_base64(24))
+    end
+
+    Channel::Api.where(secret: nil).find_each do |channel|
+      channel.update!(secret: SecureRandom.urlsafe_base64(24))
+    end
+  end
+
+  def down
+    # no-op: removing the columns in the previous migrations handles cleanup
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -131,6 +131,7 @@ ActiveRecord::Schema[7.1].define(version: 2026_03_24_102005) do
    t.bigint "account_id"
    t.integer "bot_type", default: 0
    t.jsonb "bot_config", default: {}
+    t.string "secret"
    t.index ["account_id"], name: "index_agent_bots_on_account_id"
  end

@@ -413,6 +414,7 @@ ActiveRecord::Schema[7.1].define(version: 2026_03_24_102005) do
    t.string "hmac_token"
    t.boolean "hmac_mandatory", default: false
    t.jsonb "additional_attributes", default: {}
+    t.string "secret"
    t.index ["hmac_token"], name: "index_channel_api_on_hmac_token", unique: true
    t.index ["identifier"], name: "index_channel_api_on_identifier", unique: true
  end