feat: HMAC verification for web widget (#1643)

* feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2021-01-17 22:44:03 +05:30
parent d758df8807
commit b6e8173b24
26 changed files with 517 additions and 311 deletions
--- a/docs/channels/website-sdk.md
+++ b/docs/channels/website-sdk.md
@@ -77,6 +77,21 @@ window.$chatwoot.setUser('<unique-identifier-key-of-the-user>', {

 Make sure that you reset the session when the user logs out of your app.

+### Identity validation
+
+To disallow impersonation and to keep the conversation with your customers private, we recommend setting up the identity validation in Chatwoot. Identity validation is enabled by generating an HMAC(hash based message authentication code) based on the `identifier` attribute, using SHA256. Along with the `identifier` you can pass `identifier_hash` also as shown below to make sure that the user is correct one.
+
+```js
+window.$chatwoot.setUser(`identifier-hash`, {
+  name: '', // Name of the user
+  avatar_url: '', // Avatar URL
+  email: '', // Email of the user
+  identifier_hash: '' // Identifier Hash generated based on the webwidget hmac_token
+})
+```
+
+To generate HMAC, read [identity validation](/website-sdk/identity-validation)
+
 ### Set custom attributes

 Inorder to set additional information about the customer you can use customer attributes field.