feat: Hooks Authentication/Authorization #622
Description
Is your feature request related to a problem? Please describe.
At the moment, the architecture of Hooks is setup such that Trigger will report the status of any event or run to anyone who provides the ID in the request. In a multi-tenant application, where tenants will share the same public API key, this means that any tenant would be authorized to see the status of events or runs invoked on behalf of a different tenant. This is a security weakness.
Describe the solution you'd like to see
useEventDetails etc. should require more than just an ID as a parameter, but also some token (likely a JWT) that uniquely identifies the user.
When creating a Job, an optional function can be added returning boolean whether a given secret is authorized or not:
client.defineJob({
statusAuthentication: (token) => Math.random() >= 0.5,
// ...
})If such a function is defined, then anonymous event status checks are forbidden.
Describe alternate solutions
N/A
Additional information
No response