twenty

Author SHA1 Message Date

Author	SHA1	Message	Date
Paul Rastoin	a8423e8503	[QRQC_2] No explicit any in `twenty-server` (#12068 ) # Introduction Added a no-explicit-any rule to the twenty-server, not applicable to tests and integration tests folder Related to https://github.com/twentyhq/core-team-issues/issues/975 Discussed with Charles ## In case of conflicts Until this is approved I won't rebased and handle conflict, just need to drop two latest commits and re run the scripts etc ## Legacy We decided not to handle the existing lint error occurrences and programmatically ignored them through a disable next line rule comment ## Open question We might wanna activate the [no-explicit-any](https://typescript-eslint.io/rules/no-explicit-any/) `ignoreRestArgs` for our use case ? ``` ignoreRestArgs?: boolean; ``` --------- Co-authored-by: etiennejouan <jouan.etienne@gmail.com>	2025-05-15 16:26:38 +02:00
Samyak Piya	df12ba6e98	Webhook Secret Field Implementation and Security Enhancements (#9187 ) (#9219 ) Closes #9187 This pull request introduces a new feature and several enhancements for managing webhook security by adding a secret field and enabling HMAC signature-based authentication. Below is a detailed breakdown of the changes made: ## Frontend Updates ### Secret Field on Webhook Edit Page - Added a new Secret section on the webhook edit page. - Includes a text input field for entering a webhook secret. - Added a descriptive note explaining the purpose of the secret for webhook authentication. ### State Management and Persistence - Integrated the secret field into the Webhook type definition and state management. - Connected the secret field UI to the data layer, ensuring seamless persistence of the secret field. ### Validation Improvement - Trims leading and trailing whitespace from webhook secret inputs to avoid potential validation issues. ## Backend Updates ### Database and Entity Changes - Introduced a nullable `secret` field to the `WebhookWorkspaceEntity` for securely storing webhook signing secrets. - Field uses a standard field ID: `20202020-97ce-410f-bff9-e9ccb038fb67`. ### Signature Generation - Implemented HMAC-SHA256 signature generation for webhook payloads when a secret is present: - Signatures are added as a custom `X-Twenty-Webhook-Signature` header. - Secret is excluded from the payload to maintain security. ### Enhanced Security Measures - Added additional headers for enhanced security: - Timestamp Header: Prevents replay attacks. - Nonce Header: Mitigates duplicate requests. - Updated the OpenAPI specification to include documentation on these security-related headers and signature verification. ## Documentation Updates - Updated OpenAPI documentation for webhook endpoints: - Described security-related headers (signature, timestamp, nonce). - Included detailed instructions for verifying HMAC signatures to assist consumers. ## Testing and Demonstration - [Loom Video Link](https://www.loom.com/share/bd827e4d045f46d99f3c8186e5e5676a?sid=a5e61904-0536-4e82-8055-3d05e4598393): Demonstrating the functionality of the secret field and webhook security features. - [Script Example Link](https://runkit.com/samyakpiya/676af044040c0400086d400a): A script showing how consumers can verify webhook authenticity using the HMAC signature. - [Testing Site Instance](https://webhook.site/#!/view/3472468b-ebcd-4b7f-a083-c4ba20825bb4/6885fdce-8843-4d3f-8fe0-1d8abdd53f68/1): Contains the logged requests sent during testing and is available for review. ## Steps for Review 1. Verify the secret field functionality on the webhook edit page, including state persistence and UI updates. 2. Review the security enhancements, including header additions and HMAC signature generation. 3. Validate OpenAPI documentation changes for completeness and clarity. --------- Co-authored-by: Félix Malfait <felix@twenty.com>	2024-12-28 11:47:14 +01:00

a8423e8503

[QRQC_2] No explicit any in twenty-server (#12068 )

# Introduction

Added a no-explicit-any rule to the twenty-server, not applicable to
tests and integration tests folder

Related to https://github.com/twentyhq/core-team-issues/issues/975
Discussed with Charles

## In case of conflicts
Until this is approved I won't rebased and handle conflict, just need to
drop two latest commits and re run the scripts etc

## Legacy
We decided not to handle the existing lint error occurrences and
programmatically ignored them through a disable next line rule comment

## Open question
We might wanna activate the
[no-explicit-any](https://typescript-eslint.io/rules/no-explicit-any/)
`ignoreRestArgs` for our use case ?
```
    ignoreRestArgs?: boolean;
```

---------

Co-authored-by: etiennejouan <jouan.etienne@gmail.com>

2025-05-15 16:26:38 +02:00

Samyak Piya

df12ba6e98

Webhook Secret Field Implementation and Security Enhancements (#9187 ) (#9219 )

Closes #9187

This pull request introduces a new feature and several enhancements for
managing webhook security by adding a secret field and enabling HMAC
signature-based authentication. Below is a detailed breakdown of the
changes made:

## Frontend Updates
### Secret Field on Webhook Edit Page
- Added a new **Secret** section on the webhook edit page.
  - Includes a text input field for entering a webhook secret.
- Added a descriptive note explaining the purpose of the secret for
webhook authentication.

### State Management and Persistence
- Integrated the secret field into the Webhook type definition and state
management.
- Connected the secret field UI to the data layer, ensuring seamless
persistence of the secret field.

### Validation Improvement
- Trims leading and trailing whitespace from webhook secret inputs to
avoid potential validation issues.

## Backend Updates
### Database and Entity Changes
- Introduced a nullable `secret` field to the `WebhookWorkspaceEntity`
for securely storing webhook signing secrets.
- Field uses a standard field ID:
`20202020-97ce-410f-bff9-e9ccb038fb67`.

### Signature Generation
- Implemented HMAC-SHA256 signature generation for webhook payloads when
a secret is present:
- Signatures are added as a custom `X-Twenty-Webhook-Signature` header.
  - Secret is excluded from the payload to maintain security.

### Enhanced Security Measures
- Added additional headers for enhanced security:
  - **Timestamp Header**: Prevents replay attacks.
  - **Nonce Header**: Mitigates duplicate requests.
- Updated the OpenAPI specification to include documentation on these
security-related headers and signature verification.

## Documentation Updates
- Updated OpenAPI documentation for webhook endpoints:
  - Described security-related headers (signature, timestamp, nonce).
- Included detailed instructions for verifying HMAC signatures to assist
consumers.

## Testing and Demonstration
- [Loom Video
Link](https://www.loom.com/share/bd827e4d045f46d99f3c8186e5e5676a?sid=a5e61904-0536-4e82-8055-3d05e4598393):
Demonstrating the functionality of the secret field and webhook security
features.
- [Script Example
Link](https://runkit.com/samyakpiya/676af044040c0400086d400a): A script
showing how consumers can verify webhook authenticity using the HMAC
signature.
- [Testing Site
Instance](https://webhook.site/#!/view/3472468b-ebcd-4b7f-a083-c4ba20825bb4/6885fdce-8843-4d3f-8fe0-1d8abdd53f68/1):
Contains the logged requests sent during testing and is available for
review.

## Steps for Review
1. Verify the secret field functionality on the webhook edit page,
including state persistence and UI updates.
2. Review the security enhancements, including header additions and HMAC
signature generation.
3. Validate OpenAPI documentation changes for completeness and clarity.

---------

Co-authored-by: Félix Malfait <felix@twenty.com>

2024-12-28 11:47:14 +01:00

2 Commits