ai/live: use webhookUrl query param to override auth webhook url #3732
Conversation
github-actions
bot
added
go
|
@junhyr Damn, just realised a problem with this, it's open to people putting in their own webhook URL and grabbing the admin auth token when the auth call is made. |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3732 +/- ##
===================================================
- Coverage 31.66820% 31.66367% -0.00453%
===================================================
Files 158 158
Lines 47764 47774 +10
===================================================
+ Hits 15126 15127 +1
- Misses 31738 31747 +9
Partials 900 900
... and 2 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
yeah that will do, but it seems like we're not using |
Yeah that's ok, I've added the authorization header in another PR |
|
@junhyr i was going to make the change to check the hostname but then remembered the fly preview urls don't use any of our livepeer domains |
|
If we pass in the auth URL as part of the query string, we can pass in additional request headers as part of the query string, why not. And keep them coupled - if the auth URL is overriden then don't pass in any default headers (like the auth token), only the headers that were specified by the user. Something like Implementation-wise that would be easier for folks to manage if they want to integrate a webhook endpoint, rather than have to roll their own HMAC signature checking and it's a little more standard as far as API authentication goes. Leaking secrets is one thing but IMO the bigger problem is that by controlling the URL, the attacker can also control the response. So the auth webhook wouldn't actually authenticate anything anymore and may actually become an attack vector if it enables things that the user shouldn't have access to. To fix this we should have a static shared secret somewhere in the response - either in the response header or the response object, and check that, like an API key in reverse. This should be optional (and separate from the main API key, of course). |
|
@j0sh We still want to verify whether the response is really coming from the gateway. but yes, we could add an additional Authorization header to the request if this information is considered sensitive. (Some additional |
@junhyr Sure, the original API key (in the request) does that, and we should keep that in as it's a standard and easy-to-use method for API authentication outside of Inc. The issue with allowing a user submitted webhook URL is that it side-steps auth completely. There needs to be another key to verify the legitimacy of the response. |
Add support for
webhookUrlquery parameter to overrideLiveAIAuthWebhookURL.Sign the auth requests rather than passing an API key to avoid exposing this to any 3rd party putting in their own endpoints as an override.