feat: HMAC verification for web widget (#1643)

* feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-01-17 22:44:03 +05:30
parent d758df8807
commit b6e8173b24
26 changed files with 517 additions and 311 deletions
--- a/app/models/channel/web_widget.rb
+++ b/app/models/channel/web_widget.rb
@@ -4,6 +4,7 @@
 #
 #  id              :integer          not null, primary key
 #  feature_flags   :integer          default(3), not null
+#  hmac_token      :string
 #  reply_time      :integer          default("in_a_few_minutes")
 #  website_token   :string
 #  website_url     :string
@@ -16,6 +17,7 @@
 #
 # Indexes
 #
+#  index_channel_web_widgets_on_hmac_token     (hmac_token) UNIQUE
 #  index_channel_web_widgets_on_website_token  (website_token) UNIQUE
 #

@@ -30,6 +32,8 @@ class Channel::WebWidget < ApplicationRecord
  belongs_to :account
  has_one :inbox, as: :channel, dependent: :destroy
  has_secure_token :website_token
+  has_secure_token :hmac_token
+
  has_flags 1 => :attachments,
            2 => :emoji_picker,
            :column => 'feature_flags'