feat: HMAC verification for web widget (#1643)

* feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering.
* Add docs for identity-validation

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>

app/controllers/api/v1/widget/contacts_controller.rb

@@ -1,5 +1,6 @@
 class Api::V1::Widget::ContactsController < Api::V1::Widget::BaseController
   def update
+    process_hmac
     contact_identify_action = ContactIdentifyAction.new(
       contact: @contact,
       params: permitted_params.to_h.deep_symbolize_keys
@@ -9,7 +10,22 @@ class Api::V1::Widget::ContactsController < Api::V1::Widget::BaseController
 
   private
 
+  def process_hmac
+    return if params[:identifier_hash].blank?
+    raise StandardError, 'HMAC failed: Invalid Identifer Hash Provided' unless valid_hmac?
+
+    @contact_inbox.update(hmac_verified: true)
+  end
+
+  def valid_hmac?
+    params[:identifier_hash] == OpenSSL::HMAC.hexdigest(
+      'sha256',
+      @web_widget.hmac_token,
+      params[:identifier].to_s
+    )
+  end
+
   def permitted_params
-    params.permit(:website_token, :identifier, :email, :name, :avatar_url, custom_attributes: {})
+    params.permit(:website_token, :identifier, :identifier_hash, :email, :name, :avatar_url, custom_attributes: {})
   end
 end