Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add optional shared key authentication for BPP Webhook communication #152

Closed
vbabuEM opened this issue May 27, 2024 · 1 comment
Closed

Add optional shared key authentication for BPP Webhook communication #152

vbabuEM opened this issue May 27, 2024 · 1 comment
Assignees
@em-abee
Labels
enhancement New feature or request protocol server protocol server

Comments

@vbabuEM
Copy link
Contributor

vbabuEM commented May 27, 2024
edited
Loading

Problem:
Currently the webhook communication between the BPP-Client and BPP Software is not secure. This is usually not an issue where the channel has other protection such as virtual private network. However in BPP software that is publicly accessible, this method will require whitelisting etc on the BPP Software side.

Requirement:

  1. Add an optional shared key authentication mechanism (such as HMAC- Hash based message authentication code) to the communication between the BPP-Client and BPP SW. Though we have public key authentication in other communications (such as between BAP and BPP), here since both BPP and BPP-PS are installed and controlled by same organisation, shared key authentication seems sufficient.
  2. Add a configuration key useHMACForWebhook which will be default false and assumed false if absent.
  3. Add a configuration key sharedKeyForWebhookHMAC which will be default empty and assumed empty is absent.
  4. If the useHMACForWebhook is true and if the sharedKeyForWebhookHMAC has a valid secret key, the content of the message is hashed, the signature calculated and sent in the Authorization header.
  5. In all other cases including current configuration (where both the above keys are missing), the webhook message is sent without this header.

The BPP Software with the shared key can authenticate the request.
@vbabuEM vbabuEM self-assigned this May 27, 2024
@vbabuEM vbabuEM added the enhancement New feature or request label May 27, 2024
@bodhish bodhish mentioned this issue Jun 2, 2024
Merged
11 tasks
@vbabuEM vbabuEM added the protocol server protocol server label Jun 10, 2024
@em-abee em-abee assigned em-abee and unassigned vbabuEM Jun 20, 2024
@em-abee
Copy link
Contributor

em-abee commented Jun 25, 2024

PR ##193

@em-abee em-abee closed this as completed Jun 27, 2024
@yash-learner yash-learner mentioned this issue Jul 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@em-abee em-abee

Labels
enhancement New feature or request protocol server protocol server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@em-abee @vbabuEM