Skip to content

Use webhook signing key instead of API key for webhook signature verification #819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
damiantw wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use webhook signing key instead of API key for webhook signature verification #819

damiantw wants to merge 1 commit into from

Conversation

@damiantw
Copy link

@damiantw damiantw commented Feb 16, 2022

When instantiating a Mailgun instance you are expected to provide an API key that is used to authenticate requests to the REST API.

// First, instantiate the SDK with your API credentials
$mg = Mailgun::create('key-example');

This API key was passed to the Api\Webhook instance that is instantiated via $mg->webhooks().

public function webhooks(): Api\Webhook
{
    return new Api\Webhook($this->httpClient, $this->requestBuilder, $this->hydrator, $this->apiKey);
}

https://github.com/mailgun/mailgun-php/blob/master/src/Mailgun.php#L142

This passed API key is used in the verifyWebhookSignature function.

This will result in improper verification results as the account webhook signing key should be used to compute the signature, not the REST API key.

As is, you must manually instantiate an Api\Webhook instance to provide a webhook signing key and properly validate webhook signatures using this library.

$webhook = new Webhook((new HttpClientConfigurator)->createConfiguredClient(), new RequestBuilder, new ModelHydrator,  'signing-key');
        
$webhook->verifyWebhookSignature($timestamp, $token, $signature); // This will work

This PR allows for passing a webhook signing key using the $mg->webhooks('signing-key') function.

faizanakram99
faizanakram99 suggested changes Feb 23, 2024
View reviewed changes
src/Mailgun.php
}

public function webhooks(): Api\Webhook
public function webhooks(string $signingKey = ''): Api\Webhook
Copy link

@faizanakram99 faizanakram99 Feb 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public function webhooks(string $signingKey = ''): Api\Webhook
public function webhooks(string $signingKey): Api\Webhook

signing key isn't optional

@faizanakram99
Copy link

faizanakram99 commented Feb 23, 2024

@Nyholm this fixes an important bug, signing key used to be equal to api key earlier but it is not the case at least since last 2 years, this is a breaking change though... the signature changes but not sure whats the best way here considering the existing code is broken, verification fails when using api key

@dpslwk
Copy link

dpslwk commented Aug 19, 2024

changing to
return new Api\Webhook($this->httpClient, $this->requestBuilder, $this->hydrator, $signingKey ?: $this->apiKey);
would allow $signingKey to be optional and keep the old behaviour
which would then not be a behaviour BC, but does still leave a question of if the signature change is classed as a BC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@faizanakram99 faizanakram99 faizanakram99 requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@damiantw @faizanakram99 @dpslwk