Secure Webhooks

[harshasrikara]

Overview
Secure webhook endpoints coming from known sources such as Typeform or MongoDB

Details
This issue will focus specifically on securing the endpoint that is accepting information from Typeform. Completing this will allow for us to easily replicate similar logic for data coming from different sources. The need to secure these endpoints is because our current setup involves exposed webhooks that can potentially receive invalid or malicious requests. Full details on how to secure the endpoints are listed below. Refer to the following sources for the content on how to go about it

• Typeform Webhook Docs
• Express Implementation

Task List

• Create dedicated middleware / express server to handle the typeform webhook endpoint
• Validate Typeform-Signature header by generating same sha256 signature
• Generate new secret to use and save it to the Firebase Functions Environment variables. Quick command -> firebase functions:config:set Typeform.Secret=abc
• Archive firestore triggers for functions that were dependant on Typeform data but will no longer run in any useful setting (eg. Hacktoberfest)
• Document secret to be used in Typeform in a secure location

[harshasrikara]

 const verify_signature = (expectedSig: any, body: any) => {
   const hash = crypto
     .createHmac("sha256", functions.config().typeform.secret)
     .update(JSON.stringify(body))
     .digest("base64");
   const actualSig = `sha256=${hash}`;
   console.log("expected: " + expectedSig);
   console.log("actual: " + actualSig);
   if (actualSig !== expectedSig) {
     return false;
   }
   return true;
};

Code segment found in /application/typeform.ts. This should handle the verification process but requires some additional work because signatures do not match.