Open
Description
We've implemented a new Nylas Page webhook which works like this:
- When creating a Nylas page we set URL which has to be triggered when a meeting is scheduled using this Nylas Page https://github.com/topcoder-platform/taas-apis/blob/dev/src/services/NylasService.js#L136
- Then we listen to this endpoint and handle events inside method InterviewService.partiallyUpdateInterviewByWebhook
- As a result endpoint
POST /v5/updateInterview/${interview.id}/nylas-webhooksis not protected and anyone may call it and change our Interview
Task
We have to implement authentication in some way which would ensure, that when this webhook is called it's done by Nylas for us, not by a random person.
Idea:
- Generate some token and pass it to the webhook URL in https://github.com/topcoder-platform/taas-apis/blob/dev/src/services/NylasService.js#L136 example:
https://e344-77-120-181-211.ngrok.io/api/v5/updateInterview/${interview.id}/nylas-webhooks?authToken={authToken}- then inside
POST /v5/updateInterview/${interview.id}/nylas-webhooksendpoint we have to check that this token was really generated by us and is valid
This is just an idea, any other ideas are highly welcome.
I believe that for this issue we would need to use some secret. Please. create a new env variable for the secret like https://github.com/topcoder-platform/taas-apis/blob/dev/config/default.js#L342, don't use any existent secret.