[feat] webhook payload signature verification

[cauethenorio]

Currently, when my application receives the webhook payload sent by free-email-forwarding there's no way to validate the request authenticity.

It would be nice if it has some validation field, like the signature one which mailgun uses in their webhooks:
https://documentation.mailgun.com/en/latest/user_manual.html?highlight=signature#webhooks

Thanks for building this awesome project and making it open-source @niftylettuce!

[niftylettuce]

You could verify the request came from mx1.forwardemail.net or mx2.forwardemail.net resolved IP addresses. I will add a signature or something as soon I can. Trying to ship the browser extension among other things. Thanks for raising this point @cauethenorio.

[m4rvr]

Hey @niftylettuce, is this still on the roadmap or are there other solutions for that now?

[titanism]

Will see what we can do!

[titanism]

Another solution is to just check that the IP resolved that it's coming from resolves to mx1.forwardemail.net or mx2.forwardemail.net in a reverse lookup. You can get the IP's specifically from dig mx1.forwardemail.net a or dig mx2.forwardemail.net a, so you could hard code it's from those specific IP addresses (or hostname in reverse lookup).

[m4rvr]

Thanks for your fast response. Checking the IP works for me. :)

[titanism]

We now publish our IP addresses at https://forwardemail.net/ips – and they are automatically updated daily.

[m4rvr]

Hey again! Am I right that checking the IP addresses is still the only way to verify?

If so, how often do these IPs change? Do I need to periodically fetch the ips or is hard coding them fine?

[titanism]

@m4rvr we'll implement signatures, one moment

[titanism]

@m4rvr OK it's ready for you. Simply go to My Account → Domains → Settings → Webhook Signature Payload Verification Key. Then you will be able to rotate and copy your webhook key. Use this in comparison against the X-Webhook-Signature header in webhook payloads. An example of how to do the comparison is at https://stackoverflow.com/a/68885281.

Screenshot:

We've tested and confirmed this is working ✅

Ref: forwardemail/forwardemail.net@10180e1#diff-d5d9aaae30993bbc32838519974019092153b1f4a1bf900bfeec455e53c88390

[titanism]

FAQ also updated: https://forwardemail.net/en/faq#do-you-support-webhooks:~:text=If%20you%27re%20on%20a%20paid%20plan%2C%20then%20go%20to%20My%20Account%20%E2%86%92%20Domains%20%E2%86%92%20Settings%20%E2%86%92%20Webhook%20Signature%20Payload%20Verification%20Key%20to%20obtain%20your%20webhook%20key.

[m4rvr]

@titanism No way you added it that fast. Thank you very much for that!! 🫶

I've just checked it, but I don't get any X-Webhook-Signature header sent. I'm using Localcan for exposing a public development URL for the webhook. I also tried webhook.site for that, still no signature header. I'm using fastify and logging headers via request.headers.

I had to reset the key at the beginning too, because it was empty for the existing domain. Maybe I need to recreate the domain completely?

[titanism]

@m4rvr can you email us at support@forwardemail.net with which domain this is for?