df12ba6e98
Closes #9187 This pull request introduces a new feature and several enhancements for managing webhook security by adding a secret field and enabling HMAC signature-based authentication. Below is a detailed breakdown of the changes made: ## Frontend Updates ### Secret Field on Webhook Edit Page - Added a new **Secret** section on the webhook edit page. - Includes a text input field for entering a webhook secret. - Added a descriptive note explaining the purpose of the secret for webhook authentication. ### State Management and Persistence - Integrated the secret field into the Webhook type definition and state management. - Connected the secret field UI to the data layer, ensuring seamless persistence of the secret field. ### Validation Improvement - Trims leading and trailing whitespace from webhook secret inputs to avoid potential validation issues. ## Backend Updates ### Database and Entity Changes - Introduced a nullable `secret` field to the `WebhookWorkspaceEntity` for securely storing webhook signing secrets. - Field uses a standard field ID: `20202020-97ce-410f-bff9-e9ccb038fb67`. ### Signature Generation - Implemented HMAC-SHA256 signature generation for webhook payloads when a secret is present: - Signatures are added as a custom `X-Twenty-Webhook-Signature` header. - Secret is excluded from the payload to maintain security. ### Enhanced Security Measures - Added additional headers for enhanced security: - **Timestamp Header**: Prevents replay attacks. - **Nonce Header**: Mitigates duplicate requests. - Updated the OpenAPI specification to include documentation on these security-related headers and signature verification. ## Documentation Updates - Updated OpenAPI documentation for webhook endpoints: - Described security-related headers (signature, timestamp, nonce). - Included detailed instructions for verifying HMAC signatures to assist consumers. ## Testing and Demonstration - [Loom Video Link](https://www.loom.com/share/bd827e4d045f46d99f3c8186e5e5676a?sid=a5e61904-0536-4e82-8055-3d05e4598393): Demonstrating the functionality of the secret field and webhook security features. - [Script Example Link](https://runkit.com/samyakpiya/676af044040c0400086d400a): A script showing how consumers can verify webhook authenticity using the HMAC signature. - [Testing Site Instance](https://webhook.site/#!/view/3472468b-ebcd-4b7f-a083-c4ba20825bb4/6885fdce-8843-4d3f-8fe0-1d8abdd53f68/1): Contains the logged requests sent during testing and is available for review. ## Steps for Review 1. Verify the secret field functionality on the webhook edit page, including state persistence and UI updates. 2. Review the security enhancements, including header additions and HMAC signature generation. 3. Validate OpenAPI documentation changes for completeness and clarity. --------- Co-authored-by: Félix Malfait <felix@twenty.com>
The #1 Open-Source CRM
Tailored to your unique business needs
🌐 Website · 📚 Documentation · 
Discord · 
Figma
We’ve spent thousands of hours grappling with traditional CRMs like Pipedrive and Salesforce to align them with our business needs, only to end up frustrated — customizations are complex and the closed ecosystems of these platforms can feel restrictive.
We felt the need for a CRM platform that empowers rather than constrains. We believe the next great CRM will come from the open-source community. We’ve packed Twenty with powerful features to give you full control and help you run your business efficiently.
Demo
Go to demo.twenty.com and login with the following credentials:
email: tim@apple.dev
password: Applecar2025
See also:
🚀 Self-hosting
🖥️ Local Setup
Why Choose Twenty?
We understand that the CRM landscape is vast. So why should you choose us?
⛓️ Full control, Full Freedom: Contribute, self-host, fork. Break free from vendor lock-in and join us in shaping the open future of CRM.
📊 Data, Your Way: The days when the role of CRM platforms was to shift manual data entries to a database are over. Now, the data is already there. CRM 2.0 should be built around your data, allowing you to access and visualize any existing sources, not forcing you to retrofit your data into predefined objects on a remote cloud.
🎨 Effortlessly Intuitive: We set out to create something that we ourselves would always enjoy using. The main application draws inspiration from Notion, a tool known for its user-friendly interface and customization capabilities.
What You Can Do With Twenty
We're currently in the development phase of Twenty's alpha version.
Please feel free to flag any specific needs you have by creating an issue.
Below are some features we have implemented to date:
- Add, filter, sort, edit, and track customers
- Create one or several opportunities for each company
- See rich notes tasks displayed in a timeline
- Create tasks on records
- Navigate quickly through the app using keyboard shortcuts and search
Add, filter, sort, edit, and track customers:
Create one or several opportunities for each company:
Track deals effortlessly with the email integration:
Tailor your data model to meet business needs:
See rich notes displayed in a timeline:
Create tasks on records
Navigate quickly through the app using keyboard shortcuts and search:
Connect your CRM to all your tools through our APIs and Webhooks.
What's In Store
Here’s what you can look forward to:
⏳ Frequent updates: We’re shipping fast! Expect regular updates and new features that enhance your experience.
🔗 Extensibility: We’re putting the power in your hands. Soon, you’ll have the tools to extend and customize Twenty with plugins and more.
Join the Community
- Star the repo
- Join discussions and track issues
- Follow us on Twitter or LinkedIn
- Join our Discord
- Contributions are, of course, most welcome!