Feat(webhook_listeners): add auth tokens to webhook call

[janepie]

Summary

Needed for Windmill integration.

This code adds an option to ask for authentication tokens when registering a webhook. The requested tokens will be added to the dispatched request to the defined endpoint.

All tokens generated with this have a lifetime of 1 hour and will be deleted after that in a background job every 5 min.

Tokens can be requested in the tokenNeeded parameter, which accepts listed values in the two fields "user_ids" and "user_roles".
"user_ids" is a list of user uids for which tokens are needed, "user_roles" is a list of roles (users not defined by their ID but by the role they have in the webhook event) for which tokens can be included. Possible roles: "owner" for the user creating the webhook, "trigger" for the user triggering the webhook call.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

[julien-nc]

From you branch, at the top of server, you can run

composer i
# you might wanna revert what it does to lib/composer
git checkout ./lib/composer/
composer run cs:check ./apps/webhook_listeners/lib
# or if you have Php 8.4 like me and it's refused by php-cs
PHP_CS_FIXER_IGNORE_ENV=1 composer run cs:check ./apps/webhook_listeners/lib
# and if you want to fix the syntax issues:
composer run cs:fix ./apps/webhook_listeners/lib

(for later) To implement the token expiration mechanism you might need a new table where you store

• the token ID
• the webhook ID
• if needed, the token creation timestamp

[oleksandr-nc]

Who will revoke generated token once it is not needed? Will we revoke it in the server repo or in the Windmill integration app itself?

Another question related to previous: If the token was generated for user bob first time, and then second time the flow was triggered - should we create a new token for user bob or update the olds token expiration time?

[julien-nc]

@oleksandr-nc

Who will revoke generated token once it is not needed?

IMO the tokens should be revoked by a background job in webhook_listeners.

should we create a new token for user bob or update the olds token expiration time?

I think it's clearer and cleaner if we have independent tokens for each webhook "call". If the token generated for the first run leaks for some reason, it's bad if we make it live longer.

[oleksandr-nc]

IMO the tokens should be revoked by a background job in webhook_listeners.

This definetly should be added as a comment to the code.

[julien-nc]

Yep, this PR is still WIP. This is planned.

[janepie]

Sorry for all the change requests but this is quite a big PR.

No worries, thanks for reviewing so thoroughly! I think I got everything

[marcelklehr]

Error handling is missing here, I think. What if the token doesn't exist anymore in either table? The other tokens should still be deleted. Also, the getOlderThan could fail, I think

[janepie]

Hmm if it's failing to delete in the authtokens table, should it stay in the second table or not?

[janepie]

getOlderThan is a db query, what kind of failing are you thinking of?

[marcelklehr]

Query failure. All db queries can fail with a DB Exception. That should always be handled, IMO

[marcelklehr]

return, please :)

[come-nc]

$data['user'] may be null if an event is triggered from a public page.

Suggested change

	$data['tokens'] = $this->tokenService->getTokens($webhookListener, $data['user']['uid']);
	$data['tokens'] = $this->tokenService->getTokens($webhookListener, $data['user']['uid'] ?? null);

Something like that would work, if getTokens supports getting null as second parameter.

[come-nc]

Suggested change

	$this->tokenMapper->invalidate($this->tokenMapper->getTokenById($token->getTokenId())->getToken()); // delete token itself
	$this->tokenMapper->delete($this->tokenMapper->getTokenById($token->getTokenId())); // delete token itself

[come-nc]

There is no $e object in this context or did I miss something?

[come-nc]

Suggested change

	foreach ($tokenNeeded['user_roles'] as $function) {
	foreach ($tokenNeeded['user_roles'] as $user_role) {

The namings $function and $functionId in this loop are quite confusing.

[come-nc]

Suggested change

	// We need the getToken() method to be able to send the token out.
	// That method is only available in PublicKeyToken which is returned by generateToken
	// but not declared as such, so we have to check the type here
	if (!($deviceToken instanceof PublicKeyToken)) { // type needed for the getToken() function
	throw new \Exception('Unexpected token type');
	}

This is not true anymore, only getId is used and it’s part of the public interface.