b6e8173b24
* feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
31 lines
842 B
Ruby
31 lines
842 B
Ruby
class Api::V1::Widget::ContactsController < Api::V1::Widget::BaseController
|
|
def update
|
|
process_hmac
|
|
contact_identify_action = ContactIdentifyAction.new(
|
|
contact: @contact,
|
|
params: permitted_params.to_h.deep_symbolize_keys
|
|
)
|
|
render json: contact_identify_action.perform
|
|
end
|
|
|
|
private
|
|
|
|
def process_hmac
|
|
return if params[:identifier_hash].blank?
|
|
raise StandardError, 'HMAC failed: Invalid Identifer Hash Provided' unless valid_hmac?
|
|
|
|
@contact_inbox.update(hmac_verified: true)
|
|
end
|
|
|
|
def valid_hmac?
|
|
params[:identifier_hash] == OpenSSL::HMAC.hexdigest(
|
|
'sha256',
|
|
@web_widget.hmac_token,
|
|
params[:identifier].to_s
|
|
)
|
|
end
|
|
|
|
def permitted_params
|
|
params.permit(:website_token, :identifier, :identifier_hash, :email, :name, :avatar_url, custom_attributes: {})
|
|
end
|
|
end
|