feat: HMAC verification for web widget (#1643)

* feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-01-17 22:44:03 +05:30
parent d758df8807
commit b6e8173b24
26 changed files with 517 additions and 311 deletions
--- a/docs/channels/identity-validation.md
+++ b/docs/channels/identity-validation.md
@@ -0,0 +1,84 @@
+---
+path: '/docs/website-sdk/identity-validation'
+title: 'Identity validation in Chatwoot'
+---
+
+To make sure the conversations between the customers and the support agents are private and to disallow impersonation, you can setup identity validation Chatwoot.
+
+Identity validation can be enabled by generating an HMAC. The key used to generate HMAC for each webwidget is different and can be copied from Inboxes -> Settings -> Configuration -> Identity Validation -> Copy the token shown there
+
+You can generate HMAC in different languages as shown below.
+
+
+```php
+<?php
+
+$key = 'webwidget.hmac_token';
+$message = 'identifier';
+
+$identifier_hash = hash_hmac('sha256', $message, $key);
+?>
+```
+
+```js
+const crypto = require('crypto');
+
+const key = 'webwidget.hmac_token';
+const message = 'identifier';
+
+const hash = crypto.createHmac('sha256', key).update(message);
+
+hash.digest('hex');
+```
+
+```rb
+require 'openssl'
+require 'base64'
+
+key = 'webwidget.hmac_token'
+message = 'identifier'
+
+OpenSSL::HMAC.hexdigest('sha256', key, message)
+```
+
+```elixir
+key = 'webwidget.hmac_token'
+message = 'identifier'
+
+signature = :crypto.hmac(:sha256, key, message)
+
+Base.encode16(signature, case: :lower)
+```
+
+
+```go
+package main
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+)
+
+func main() {
+  secret := []byte("webwidget.hmac_token")
+  message := []byte("identifier")
+
+  hash := hmac.New(sha256.New, secret)
+  hash.Write(message)
+  hex.EncodeToString(hash.Sum(nil))
+}
+```
+
+```py
+import hashlib
+import hmac
+import base64
+
+message = bytes('webwidget.hmac_token', 'utf-8')
+secret = bytes('identifier', 'utf-8')
+
+hash = hmac.new(secret, message, hashlib.sha256)
+hash.hexdigest()
+```
--- a/docs/channels/website-sdk.md
+++ b/docs/channels/website-sdk.md
@@ -77,6 +77,21 @@ window.$chatwoot.setUser('<unique-identifier-key-of-the-user>', {

 Make sure that you reset the session when the user logs out of your app.

+### Identity validation
+
+To disallow impersonation and to keep the conversation with your customers private, we recommend setting up the identity validation in Chatwoot. Identity validation is enabled by generating an HMAC(hash based message authentication code) based on the `identifier` attribute, using SHA256. Along with the `identifier` you can pass `identifier_hash` also as shown below to make sure that the user is correct one.
+
+```js
+window.$chatwoot.setUser(`identifier-hash`, {
+  name: '', // Name of the user
+  avatar_url: '', // Avatar URL
+  email: '', // Email of the user
+  identifier_hash: '' // Identifier Hash generated based on the webwidget hmac_token
+})
+```
+
+To generate HMAC, read [identity validation](/website-sdk/identity-validation)
+
 ### Set custom attributes

 Inorder to set additional information about the customer you can use customer attributes field.