feat: add tokens in the webhook call data

Signed-off-by: Jana Peper <[email protected]>

Author: janepie

apps/webhook_listeners/lib/BackgroundJobs/WebhookCall.php

@@ -42,6 +42,9 @@ protected function run($argument): void {
 		[$data, $webhookId] = $argument;
 		$webhookListener = $this->mapper->getById($webhookId);
 		$client = $this->clientService->newClient();
+
+		// adding temporary auth tokens to the call
+		$data['tokens'] = $this->getTokens($webhookListener, $data['user']['uid']);
 		$options = [
 			'verify' => $this->certificateManager->getAbsoluteBundlePath(),
 			'headers' => $webhookListener->getHeaders() ?? [],
@@ -92,4 +95,31 @@ protected function run($argument): void {
 			$this->logger->error('Webhook(' . $webhookId . ') call failed: ' . $e->getMessage(), ['exception' => $e]);
 		}
 	}
+
+	private function getTokens($webhookListener, $triggerUserId): array {
+		$tokens = [];
+		$tokenNeeded = $webhookListener->getTokenNeeded();
+		if (isset($tokenNeeded['users'])) {
+			foreach ($tokenNeeded['users'] as $userId) {
+				$tokens['users'][$userId] = $webhookListener->createTemporaryToken($userId);
+			}
+		}
+		if (isset($tokenNeeded['users'])) {
+			foreach ($tokenNeeded['functions'] as $function) {
+				switch ($function) {
+					case 'owner':
+						// token for the person who created the flow
+						$functionId = $webhookListener->getUserId();
+						$tokens['functions']['owner'][$functionId] = $webhookListener->createTemporaryToken($functionId);
+						break;
+					case 'trigger':
+						// token for the person who triggered the webhook
+						$tokens['functions']['trigger'][$triggerUserId] = $webhookListener->createTemporaryToken($triggerUserId);
+						break;
+				}
+			}
+		}
+
+		return $tokens;
+	}
 }

apps/webhook_listeners/lib/Controller/WebhooksController.php

@@ -112,7 +112,9 @@ public function show(int $id): DataResponse {
 	 * @param ?array<string,string> $headers Array of headers to send
 	 * @param "none"|"header"|null $authMethod Authentication method to use
 	 * @param ?array<string,mixed> $authData Array of data for authentication
-	 * @param ?array<string,mixed> $tokenNeeded List of user ids for which to include auth tokens in the event
+	 * @param ?array<string,mixed> $tokenNeeded List of user ids for which to include auth tokens in the event.
+	 *                                          Has to fields: "users" lists uids of users for which tokens are needed, "functions" lists functions for which tokens can be included.
+	 *                                          Possible functions: "owner" for the user creating the webhook, "trigger" for the user triggering the webhook call
 	 *
 	 * @return DataResponse<Http::STATUS_OK, WebhookListenersWebhookInfo, array{}>
 	 *
@@ -183,7 +185,9 @@ public function create(
 	 * @param ?array<string,string> $headers Array of headers to send
 	 * @param "none"|"header"|null $authMethod Authentication method to use
 	 * @param ?array<string,mixed> $authData Array of data for authentication
-	 * @param ?array<string,mixed> $tokenNeeded List of user ids for which to include auth tokens in the event
+	 * @param ?array<string,mixed> $tokenNeeded List of user ids for which to include auth tokens in the event.
+	 *                                          Has to fields: "users" lists uids of users for which tokens are needed, "functions" lists functions for which tokens can be included.
+	 *                                          Possible functions: "owner" for the user creating the webhook, "trigger" for the user triggering the webhook call
 	 *
 	 * @return DataResponse<Http::STATUS_OK, WebhookListenersWebhookInfo, array{}>
 	 *

apps/webhook_listeners/lib/Db/WebhookListener.php

@@ -9,8 +9,11 @@
 
 namespace OCA\WebhookListeners\Db;
 
+use OC\Authentication\Token\IProvider;
 use OCP\AppFramework\Db\Entity;
+use OCP\Authentication\Token\IToken;
 use OCP\Security\ICrypto;
+use OCP\Security\ISecureRandom;
 use OCP\Server;
 
 /**
@@ -23,6 +26,7 @@
  * @method ?string getAuthData()
  * @method void setAuthData(?string $data)
  * @method string getAuthMethod()
+ * @method ?array getTokenNeeded()
  * @psalm-suppress PropertyNotSetInConstructor
  */
 class WebhookListener extends Entity implements \JsonSerializable {
@@ -84,21 +88,32 @@ class WebhookListener extends Entity implements \JsonSerializable {
 	 */
 	protected $authData = null;
 
-		/**
+	/**
 	 * @var array
 	 * @psalm-suppress PropertyNotSetInConstructor
 	 */
 	protected $tokenNeeded;
 
 	private ICrypto $crypto;
 
+	private IProvider $tokenProvider;
 	public function __construct(
 		?ICrypto $crypto = null,
+		?IProvider $tokenProvider = null,
+		private ?ISecureRandom $random = null,
 	) {
 		if ($crypto === null) {
 			$crypto = Server::get(ICrypto::class);
 		}
 		$this->crypto = $crypto;
+		if ($tokenProvider === null) {
+			$tokenProvider = Server::get(IProvider::class);
+		}
+		$this->tokenProvider = $tokenProvider;
+		if ($random === null) {
+			$random = Server::get(ISecureRandom::class);
+		}
+		$this->random = $random;
 		$this->addType('appId', 'string');
 		$this->addType('userId', 'string');
 		$this->addType('httpMethod', 'string');
@@ -152,4 +167,21 @@ public function jsonSerialize(): array {
 	public function getAppId(): ?string {
 		return $this->appId;
 	}
+
+
+	public function createTemporaryToken($userId) {
+		$token = $this->generateRandomDeviceToken();
+		$name = 'Authentication for Webhook';
+		$password = null;
+		$deviceToken = $this->tokenProvider->generateToken($token, $userId, $userId, $password, $name, IToken::PERMANENT_TOKEN);
+		return $token;
+	}
+
+	private function generateRandomDeviceToken() {
+		$groups = [];
+		for ($i = 0; $i < 5; $i++) {
+			$groups[] = $this->random->generate(5, ISecureRandom::CHAR_HUMAN_READABLE);
+		}
+		return implode('-', $groups);
+	}
 }

apps/webhook_listeners/lib/Db/WebhookListenerMapper.php

@@ -82,7 +82,7 @@ public function addWebhookListener(
 		AuthMethod $authMethod,
 		#[\SensitiveParameter]
 		?array $authData,
-		?array $tokenNeeded
+		?array $tokenNeeded,
 	): WebhookListener {
 		/* Remove any superfluous antislash */
 		$event = ltrim($event, '\\');

apps/webhook_listeners/lib/Migration/Version1500Date20251007130000.php

@@ -12,9 +12,9 @@
 use Closure;
 use OCA\WebhookListeners\Db\WebhookListenerMapper;
 use OCP\DB\ISchemaWrapper;
+use OCP\DB\Types;
 use OCP\Migration\IOutput;
 use OCP\Migration\SimpleMigrationStep;
-use OCP\DB\Types;
 
 class Version1500Date20251007130000 extends SimpleMigrationStep {
 
@@ -29,14 +29,14 @@ public function changeSchema(IOutput $output, Closure $schemaClosure, array $opt
 
 		if ($schema->hasTable(WebhookListenerMapper::TABLE_NAME)) {
 			$table = $schema->getTable(WebhookListenerMapper::TABLE_NAME);
-			if(!$table->hasColumn('token_needed')){
+			if (!$table->hasColumn('token_needed')) {
 				$table->addColumn('token_needed', Types::TEXT, [
-				'notnull' => false,
-			]);
+					'notnull' => false,
+				]);
 			}
-			
+
 			return $schema;
 		}
 		return null;
 	}
-}
+}