Chatwoot/app/controllers/api/v1/widget/contacts_controller.rb

class Api::V1::Widget::ContactsController < Api::V1::Widget::BaseController
  before_action :process_hmac, only: [:update]

  def show; end

  def update
    contact_identify_action = ContactIdentifyAction.new(
      contact: @contact,
      params: permitted_params.to_h.deep_symbolize_keys
    )
    @contact = contact_identify_action.perform
  end

  # TODO : clean up this with proper routes delete contacts/custom_attributes
  def destroy_custom_attributes
    @contact.custom_attributes = @contact.custom_attributes.excluding(params[:custom_attributes])
    @contact.save!
    render json: @contact
  end

  private

  def process_hmac
    return unless should_verify_hmac?

    render json: { error: 'HMAC failed: Invalid Identifier Hash Provided' }, status: :unauthorized unless valid_hmac?

    @contact_inbox.update(hmac_verified: true)
  end

  def should_verify_hmac?
    return false if params[:identifier_hash].blank? && !@web_widget.hmac_mandatory

    # Taking an extra caution that the hmac is triggered whenever identifier is present
    return false if params[:custom_attributes].present? && params[:identifier].blank?

    true
  end

  def valid_hmac?
    params[:identifier_hash] == OpenSSL::HMAC.hexdigest(
      'sha256',
      @web_widget.hmac_token,
      params[:identifier].to_s
    )
  end

  def permitted_params
    params.permit(:website_token, :identifier, :identifier_hash, :email, :name, :avatar_url, :phone_number, custom_attributes: {},
                                                                                                            additional_attributes: {})
  end
end
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`class Api::V1::Widget::ContactsController < Api::V1::Widget::BaseController`
fix: Add fixes for sentry errors (#3522) - Add fixes for sentry errors 2021-12-09 06:20:28 +00:00			`before_action :process_hmac, only: [:update]`
Fix: Hide prechat for sessions inititated with setUser (#1914) 2021-03-20 12:14:20 +00:00
			`def show; end`

Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`def update`
			`contact_identify_action = ContactIdentifyAction.new(`
			`contact: @contact,`
			`params: permitted_params.to_h.deep_symbolize_keys`
			`)`
fix: Add fixes for sentry errors (#3522) - Add fixes for sentry errors 2021-12-09 06:20:28 +00:00			`@contact = contact_identify_action.perform`
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`end`

chore: Update `deleteCustomAttribute` method in SDK (#3334) 2021-11-15 09:26:35 +00:00			`# TODO : clean up this with proper routes delete contacts/custom_attributes`
			`def destroy_custom_attributes`
			`@contact.custom_attributes = @contact.custom_attributes.excluding(params[:custom_attributes])`
			`@contact.save!`
			`render json: @contact`
			`end`

Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`private`

feat: HMAC verification for web widget (#1643) * feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2021-01-17 17:14:03 +00:00			`def process_hmac`
fix: Add fixes for sentry errors (#3522) - Add fixes for sentry errors 2021-12-09 06:20:28 +00:00			`return unless should_verify_hmac?`
fix: Ensure HMAC mandatory when enabled (#3350) Add missing condition checking if HMAC is mandatory. Fixes #3349 2021-11-11 04:18:38 +00:00
			`render json: { error: 'HMAC failed: Invalid Identifier Hash Provided' }, status: :unauthorized unless valid_hmac?`
feat: HMAC verification for web widget (#1643) * feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2021-01-17 17:14:03 +00:00
			`@contact_inbox.update(hmac_verified: true)`
			`end`

fix: Add fixes for sentry errors (#3522) - Add fixes for sentry errors 2021-12-09 06:20:28 +00:00			`def should_verify_hmac?`
			`return false if params[:identifier_hash].blank? && !@web_widget.hmac_mandatory`

			`# Taking an extra caution that the hmac is triggered whenever identifier is present`
			`return false if params[:custom_attributes].present? && params[:identifier].blank?`

			`true`
			`end`

feat: HMAC verification for web widget (#1643) * feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com> 2021-01-17 17:14:03 +00:00			`def valid_hmac?`
			`params[:identifier_hash] == OpenSSL::HMAC.hexdigest(`
			`'sha256',`
			`@web_widget.hmac_token,`
			`params[:identifier].to_s`
			`)`
			`end`

Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`def permitted_params`
feat: Add additional attributes in `setUser` method (#3958) 2022-02-28 06:40:55 +00:00			`params.permit(:website_token, :identifier, :identifier_hash, :email, :name, :avatar_url, :phone_number, custom_attributes: {},`
			`additional_attributes: {})`
Feature: Website SDK (#653) Add SDK functions Co-authored-by: Sojan <sojan@pepalo.com> 2020-04-03 07:34:58 +00:00			`end`
			`end`