feat: HMAC verification for web widget (#1643)

* feat: HMAC verification for web widget. Let you verify the authenticated contact via HMAC on the web widget to prevent data tampering. * Add docs for identity-validation Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
2025-11-03 04:27:53 +00:00 · 2021-01-17 22:44:03 +05:30
parent d758df8807
commit b6e8173b24
26 changed files with 517 additions and 311 deletions
--- a/app/javascript/packs/sdk.js
+++ b/app/javascript/packs/sdk.js
@@ -3,7 +3,9 @@ import { IFrameHelper } from '../sdk/IFrameHelper';
 import { getBubbleView } from '../sdk/bubbleHelpers';
 import md5 from 'md5';

-const ALLOWED_LIST_OF_SET_USER_ATTRIBUTES = ['avatar_url', 'email', 'name'];
+const REQUIRED_USER_KEYS = ['avatar_url', 'email', 'name'];
+
+const ALLOWED_USER_ATTRIBUTES = [...REQUIRED_USER_KEYS, 'identifier_hash'];

 export const getUserCookieName = () => {
  const SET_USER_COOKIE_PREFIX = 'cw_user_';
@@ -12,7 +14,7 @@ export const getUserCookieName = () => {
 };

 export const getUserString = ({ identifier = '', user }) => {
-  const userStringWithSortedKeys = ALLOWED_LIST_OF_SET_USER_ATTRIBUTES.reduce(
+  const userStringWithSortedKeys = ALLOWED_USER_ATTRIBUTES.reduce(
    (acc, key) => `${acc}${key}${user[key] || ''}`,
    ''
  );
@@ -22,10 +24,7 @@ export const getUserString = ({ identifier = '', user }) => {
 const computeHashForUserData = (...args) => md5(getUserString(...args));

 export const hasUserKeys = user =>
-  ALLOWED_LIST_OF_SET_USER_ATTRIBUTES.reduce(
-    (acc, key) => acc || !!user[key],
-    false
-  );
+  REQUIRED_USER_KEYS.reduce((acc, key) => acc || !!user[key], false);

 const runSDK = ({ baseUrl, websiteToken }) => {
  const chatwootSettings = window.chatwootSettings || {};