Add Webhooks module

riebeekn · jacobiajohnson · commit 6f7c1a46e8c4 · 2023-03-08T07:59:38.000-05:00
diff --git a/lib/workos/webhooks/event.ex b/lib/workos/webhooks/event.ex
@@ -0,0 +1,31 @@
+defmodule WorkOS.Webhooks.Event do
+  @moduledoc """
+  Module to represent a webhook event
+  """
+  defstruct [:id, :event, :data]
+
+  @spec new(payload :: String.t()) :: __MODULE__
+  def new(payload) do
+    processed_map =
+      [:id, :event, :data]
+      |> Enum.reduce(%{}, fn key, acc ->
+        string_key = to_string(key)
+        converted_value = Map.get(payload, string_key) |> convert_value()
+        Map.put(acc, key, converted_value)
+      end)
+
+    struct(%__MODULE__{}, processed_map)
+  end
+
+  defp convert_value(value) when is_map(value), do: convert_map(value)
+  defp convert_value(value) when is_list(value), do: convert_list(value)
+  defp convert_value(value), do: value
+
+  defp convert_map(value) do
+    Enum.reduce(value, %{}, fn {key, value}, acc ->
+      Map.put(acc, String.to_atom(key), convert_value(value))
+    end)
+  end
+
+  defp convert_list(list), do: list |> Enum.map(&convert_value/1)
+end
diff --git a/lib/workos/webhooks/webhooks.ex b/lib/workos/webhooks/webhooks.ex
@@ -0,0 +1,144 @@
+defmodule WorkOS.Webhooks do
+  @moduledoc """
+  The Webhooks module provides convenience methods for working with WorkOS webhooks.
+  Creates a WorkOS Webhook Event from the webhook's payload if signature is valid.
+
+  See https://workos.com/docs/webhooks
+  """
+  alias WorkOS.Webhooks.Event
+  @three_minute_default_tolerance 60 * 3
+
+  @doc """
+  Verify webhook payload and return an event.
+
+  `payload` is the raw, unparsed content body sent by WorkOS, which can be
+  retrieved with `Plug.Conn.read_body/2`, Note that `Plug.Parsers` will read
+  and discard the body, so you must implement a [custom body reader][1] if the
+  plug is located earlier in the pipeline.
+
+  `sigHeader` is the value of `workos-signature` header, which can be fetched
+  with `Plug.Conn.get_req_header/2`, i.e. `Plug.Conn.get_req_header(conn, "workos-signature")`.
+
+  `secret` is your webhook endpoint's secret from the WorkOS Dashboard.
+
+  `tolerance` is the allowed deviation in seconds from the current system time
+  to the timestamp found in `signature`. Defaults to 180 seconds (3 minutes).
+
+  WorkOS API reference:
+  https://workos.com/docs/webhooks/securing-your-webhook-endpoint/validating-events-are-from-workos
+
+  [1]: https://hexdocs.pm/plug/Plug.Parsers.html#module-custom-body-reader
+
+  ## Example plug in your consuming application which places the constructed
+     event in the conn assigns
+
+  defmodule MyAppWeb.WorkOSWebhooksPlug do
+    @behaviour Plug
+
+    alias Plug.Conn
+
+    def init(config), do: config
+
+    # Match on any requests from workos, i.e. the Endpoint URL configured in
+    # the WorkOS Dashboard, adjust @request_path as appropriate
+    @request_path "/webhooks/workos"
+    def call(%{request_path: @request_path} = conn, _) do
+      signing_secret = Application.get_env(:workos, :webhook_signing_secret)
+      [worksos_signature] = Conn.get_req_header(conn, "workos-signature")
+
+      with {:ok, body, _} <- Conn.read_body(conn),
+           {:ok, workos_event} <-
+             WorkOS.Webhooks.construct_event(body, worksos_signature, signing_secret) do
+        Conn.assign(conn, :workos_event, workos_event)
+      else
+        {:error, error} ->
+          conn
+          |> Conn.send_resp(:bad_request, error.message)
+          |> Conn.halt()
+      end
+    end
+
+    def call(conn, _), do: conn
+  end
+
+  As per the aforementioned note about `Plug.Parsers` the above plug would need to
+  precede these in Endpoint.ex ... i.e.
+
+  defmodule MyAppWeb.Endpoint do
+    ...
+    ...
+
+    plug Plug.Telemetry, event_prefix: [:phoenix, :endpoint]
+
+    plug MyAppWeb.WorkOSWebhooksPlug
+
+    plug Plug.Parsers,
+    parsers: [:urlencoded, :multipart, :json],
+    pass: ["*/*"],
+    json_decoder: Phoenix.json_library()
+    ...
+    ...
+  """
+  @spec construct_event(
+          payload :: String.t(),
+          sigHeader :: String.t(),
+          secret :: String.t(),
+          tolerance :: pos_integer()
+        ) :: {:ok, payload :: map()} | {:error, message :: String.t()}
+  def construct_event(payload, sigHeader, secret, tolerance \\ @three_minute_default_tolerance) do
+    with {:ok, %{timestamp: timestamp, expected_signature_hash: expected_signature_hash}} <-
+           get_timestamp_and_expected_signature_hash(sigHeader),
+         :ok <- verify_time_tolerance(timestamp, tolerance),
+         {:ok, computed_signature_hash} <- compute_signature(timestamp, payload, secret),
+         :ok <- compare_signatures(computed_signature_hash, expected_signature_hash) do
+      {:ok, payload |> Jason.decode!() |> Event.new()}
+    end
+  end
+
+  defp compare_signatures(computed_signature_hash, expected_signature_hash) do
+    if Plug.Crypto.secure_compare(computed_signature_hash, expected_signature_hash) do
+      :ok
+    else
+      {:error, "Signature hash does not match the expected signature hash for payload"}
+    end
+  end
+
+  defp compute_signature(timestamp, payload, secret) do
+    unhashed_string = "#{timestamp}.#{payload}"
+
+    computed_signature =
+      :crypto.mac(:hmac, :sha256, secret, unhashed_string)
+      |> Base.encode16(case: :lower)
+
+    {:ok, computed_signature}
+  end
+
+  defp verify_time_tolerance(timestamp, tolerance) do
+    timestamp_date = DateTime.from_unix!(timestamp, :millisecond)
+
+    latest_allowed_date = DateTime.utc_now() |> DateTime.add(tolerance * -1)
+
+    if DateTime.compare(timestamp_date, latest_allowed_date) == :gt do
+      :ok
+    else
+      {:error, "Timestamp outside the tolerance zone"}
+    end
+  end
+
+  @expected_scheme "v1"
+  defp get_timestamp_and_expected_signature_hash(signature) do
+    parsed =
+      for pair <- String.split(signature, ","),
+          destructure([key, value], String.split(pair, "=", parts: 2)),
+          do: {key |> String.trim(), value},
+          into: %{}
+
+    with %{"t" => timestamp, @expected_scheme => signature_hash} <- parsed,
+         {timestamp, ""} <- Integer.parse(timestamp),
+         true <- String.length(signature_hash) > 0 do
+      {:ok, %{timestamp: timestamp, expected_signature_hash: signature_hash}}
+    else
+      _ -> {:error, "Signature or timestamp missing"}
+    end
+  end
+end
diff --git a/mix.exs b/mix.exs
@@ -29,6 +29,7 @@ defmodule WorkOS.MixProject do
       {:tesla, "~> 1.4"},
       {:hackney, "~> 1.18.0"},
       {:jason, ">= 1.0.0"},
+      {:plug_crypto, "~> 1.0"},
       {:ex_doc, "~> 0.23", only: :dev, runtime: false},
       {:credo, "~> 1.6", only: [:dev, :test], runtime: false}
     ]
diff --git a/mix.lock b/mix.lock
@@ -16,6 +16,7 @@
   "mimerl": {:hex, :mimerl, "1.2.0", "67e2d3f571088d5cfd3e550c383094b47159f3eee8ffa08e64106cdf5e981be3", [:rebar3], [], "hexpm", "f278585650aa581986264638ebf698f8bb19df297f66ad91b18910dfc6e19323"},
   "nimble_parsec": {:hex, :nimble_parsec, "1.2.3", "244836e6e3f1200c7f30cb56733fd808744eca61fd182f731eac4af635cc6d0b", [:mix], [], "hexpm", "c8d789e39b9131acf7b99291e93dae60ab48ef14a7ee9d58c6964f59efb570b0"},
   "parse_trans": {:hex, :parse_trans, "3.3.1", "16328ab840cc09919bd10dab29e431da3af9e9e7e7e6f0089dd5a2d2820011d8", [:rebar3], [], "hexpm", "07cd9577885f56362d414e8c4c4e6bdf10d43a8767abb92d24cbe8b24c54888b"},
+  "plug_crypto": {:hex, :plug_crypto, "1.2.3", "8f77d13aeb32bfd9e654cb68f0af517b371fb34c56c9f2b58fe3df1235c1251a", [:mix], [], "hexpm", "b5672099c6ad5c202c45f5a403f21a3411247f164e4a8fab056e5cd8a290f4a2"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.6", "cf344f5692c82d2cd7554f5ec8fd961548d4fd09e7d22f5b62482e5aeaebd4b0", [:make, :mix, :rebar3], [], "hexpm", "bdb0d2471f453c88ff3908e7686f86f9be327d065cc1ec16fa4540197ea04680"},
   "tesla": {:hex, :tesla, "1.4.4", "bb89aa0c9745190930366f6a2ac612cdf2d0e4d7fff449861baa7875afd797b2", [:mix], [{:castore, "~> 0.1", [hex: :castore, repo: "hexpm", optional: true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]}, {:finch, "~> 0.3", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse, "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, "~> 1.3", [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex: :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "d5503a49f9dec1b287567ea8712d085947e247cb11b06bc54adb05bfde466457"},
   "unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"},
diff --git a/test/workos/webhooks/webhooks_test.exs b/test/workos/webhooks/webhooks_test.exs
@@ -0,0 +1,149 @@
+defmodule WorkOS.WebhooksTest do
+  use ExUnit.Case
+
+  alias WorkOS.Webhooks
+
+  @secret "secret"
+  @timestamp DateTime.utc_now() |> DateTime.add(30) |> DateTime.to_unix(:millisecond)
+  @payload """
+  {"id": "wh_123","data":{"id":"directory_user_01FAEAJCR3ZBZ30D8BD1924TVG","state":"active","emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"idp_id":"00u1e8mutl6wlH3lL4x7","object":"directory_user","username":"blair@foo-corp.com","last_name":"Lunchford","first_name":"Blair","job_title":"Software Engineer","directory_id":"directory_01F9M7F68PZP8QXP8G7X5QRHS7","raw_attributes":{"name":{"givenName":"Blair","familyName":"Lunchford","middleName":"Elizabeth","honorificPrefix":"Ms."},"title":"Software Engineer","active":true,"emails":[{"type":"work","value":"blair@foo-corp.com","primary":true}],"groups":[],"locale":"en-US","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"userName":"blair@foo-corp.com","addresses":[{"region":"CA","primary":true,"locality":"San Francisco","postalCode":"94016"}],"externalId":"00u1e8mutl6wlH3lL4x7","displayName":"Blair Lunchford","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"2","displayName":"Kate Chapman"},"division":"Engineering","department":"Customer Success"}}},"event":"dsync.user.created"}
+  """
+  @unhashed_string "#{@timestamp}.#{@payload}"
+  @signature_hash :crypto.mac(:hmac, :sha256, @secret, @unhashed_string)
+                  |> Base.encode16(case: :lower)
+  @expectated_data_map %{
+    id: "directory_user_01FAEAJCR3ZBZ30D8BD1924TVG",
+    state: "active",
+    emails: [
+      %{
+        type: "work",
+        value: "blair@foo-corp.com",
+        primary: true
+      }
+    ],
+    idp_id: "00u1e8mutl6wlH3lL4x7",
+    object: "directory_user",
+    username: "blair@foo-corp.com",
+    last_name: "Lunchford",
+    first_name: "Blair",
+    job_title: "Software Engineer",
+    directory_id: "directory_01F9M7F68PZP8QXP8G7X5QRHS7",
+    raw_attributes: %{
+      name: %{
+        givenName: "Blair",
+        familyName: "Lunchford",
+        middleName: "Elizabeth",
+        honorificPrefix: "Ms."
+      },
+      title: "Software Engineer",
+      active: true,
+      emails: [
+        %{
+          type: "work",
+          value: "blair@foo-corp.com",
+          primary: true
+        }
+      ],
+      groups: [],
+      locale: "en-US",
+      schemas: [
+        "urn:ietf:params:scim:schemas:core:2.0:User",
+        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
+      ],
+      userName: "blair@foo-corp.com",
+      addresses: [
+        %{
+          region: "CA",
+          primary: true,
+          locality: "San Francisco",
+          postalCode: "94016"
+        }
+      ],
+      externalId: "00u1e8mutl6wlH3lL4x7",
+      displayName: "Blair Lunchford",
+      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": %{
+        manager: %{
+          value: "2",
+          displayName: "Kate Chapman"
+        },
+        division: "Engineering",
+        department: "Customer Success"
+      }
+    }
+  }
+
+  describe "construct_event/4 - valid inputs" do
+    setup do
+      %{sig_header: "t=#{@timestamp}, v1=#{@signature_hash}"}
+    end
+
+    test "returns a webhook event with a valid payload, sig_header, and secret", %{
+      sig_header: sig_header
+    } do
+      {:ok, %WorkOS.Webhooks.Event{} = webhook} =
+        Webhooks.construct_event(@payload, sig_header, @secret)
+
+      assert webhook.data == @expectated_data_map
+      assert webhook.event == "dsync.user.created"
+      assert webhook.id == "wh_123"
+    end
+
+    test "returns a webhook event with a valid payload, sig_header, secret, and tolerance", %{
+      sig_header: sig_header
+    } do
+      {:ok, webhook} = Webhooks.construct_event(@payload, sig_header, @secret, 100)
+
+      assert webhook.data == @expectated_data_map
+      assert webhook.event == "dsync.user.created"
+      assert webhook.id == "wh_123"
+    end
+  end
+
+  describe "construct_event/4 - invalid inputs" do
+    setup do
+      %{sig_header: "t=#{@timestamp}, v1=#{@signature_hash}"}
+    end
+
+    test "returns an error with an empty header" do
+      empty_sig_header = ""
+
+      assert {:error, "Signature or timestamp missing"} ==
+               Webhooks.construct_event(@payload, empty_sig_header, @secret)
+    end
+
+    test "returns an error with an empty signature hash" do
+      missing_sig_hash = "t=#{@timestamp}, v1="
+
+      assert {:error, "Signature or timestamp missing"} ==
+               Webhooks.construct_event(@payload, missing_sig_hash, @secret)
+    end
+
+    test "returns an error with an incorrect signature hash" do
+      incorrect_sig_hash = "t=#{@timestamp}, v1=99999"
+
+      assert {:error, "Signature hash does not match the expected signature hash for payload"} ==
+               Webhooks.construct_event(@payload, incorrect_sig_hash, @secret)
+    end
+
+    test "returns an error with an incorrect payload", %{sig_header: sig_header} do
+      invalid_payload = "invalid"
+
+      assert {:error, "Signature hash does not match the expected signature hash for payload"} ==
+               Webhooks.construct_event(invalid_payload, sig_header, @secret)
+    end
+
+    test "returns an error with an incorrect secret", %{sig_header: sig_header} do
+      invalid_secret = "invalid"
+
+      assert {:error, "Signature hash does not match the expected signature hash for payload"} ==
+               Webhooks.construct_event(@payload, sig_header, invalid_secret)
+    end
+
+    test "returns an error with a timestamp outside tolerance" do
+      sig_header = "t=9999, v1=#{@signature_hash}"
+
+      assert {:error, "Timestamp outside the tolerance zone"} ==
+               Webhooks.construct_event(@payload, sig_header, @secret)
+    end
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ defmodule WorkOS.MixProject do`
`29`	`29`	`{:tesla, "~> 1.4"},`
`30`	`30`	`{:hackney, "~> 1.18.0"},`
`31`	`31`	`{:jason, ">= 1.0.0"},`
	`32`	`+ {:plug_crypto, "~> 1.0"},`
`32`	`33`	`{:ex_doc, "~> 0.23", only: :dev, runtime: false},`
`33`	`34`	`{:credo, "~> 1.6", only: [:dev, :test], runtime: false}`
`34`	`35`	`]`