feat: HMAC verification for web widget (#1643)

* feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering.
* Add docs for identity-validation

Co-authored-by: Pranav Raj S <pranav@chatwoot.com>

db/migrate/20210112174124_add_hmac_token_to_inbox.rb

@@ -0,0 +1,15 @@
+class AddHmacTokenToInbox < ActiveRecord::Migration[6.0]
+  def change
+    add_column :channel_web_widgets, :hmac_token, :string
+    add_index :channel_web_widgets, :hmac_token, unique: true
+    set_up_existing_webwidgets
+    add_column :contact_inboxes, :hmac_verified, :boolean, default: false
+  end
+
+  def set_up_existing_webwidgets
+    ::Channel::WebWidget.find_in_batches do |webwidgets_batch|
+      Rails.logger.info "migrated till #{webwidgets_batch.first.id}\n"
+      webwidgets_batch.map(&:regenerate_hmac_token)
+    end
+  end
+end

db/schema.rb

@@ -182,6 +182,8 @@ ActiveRecord::Schema.define(version: 2021_01_13_045116) do
     t.string "welcome_tagline"
     t.integer "feature_flags", default: 3, null: false
     t.integer "reply_time", default: 0
+    t.string "hmac_token"
+    t.index ["hmac_token"], name: "index_channel_web_widgets_on_hmac_token", unique: true
     t.index ["website_token"], name: "index_channel_web_widgets_on_website_token", unique: true
   end
 
@@ -191,6 +193,7 @@ ActiveRecord::Schema.define(version: 2021_01_13_045116) do
     t.string "source_id", null: false
     t.datetime "created_at", precision: 6, null: false
     t.datetime "updated_at", precision: 6, null: false
+    t.boolean "hmac_verified", default: false
     t.index ["contact_id"], name: "index_contact_inboxes_on_contact_id"
     t.index ["inbox_id", "source_id"], name: "index_contact_inboxes_on_inbox_id_and_source_id", unique: true
     t.index ["inbox_id"], name: "index_contact_inboxes_on_inbox_id"