Have invalid signature transmit 404 error instead of forbidden

[mockdeep]

It would be nice if we could have our webhook render a generic 404 message to not give malicious attackers any information about what is going on.

[tardate]

@mockdeep that's a good idea. At the moment we probably give away TMI:

context "with invalid key" do
  ...
  expect(processor_instance).to receive(:head).with(:forbidden, :text => "Mandrill signature did not match.")

I'm open to suggestions:

• just change this to a generic 404
• or make this a configurable behaviour?

[mockdeep]

@tardate, I don't have a strong opinion one way or another. If I were to guess, I would say it's probably safe and simpler to just change it to a 404. It might be a little more confusing for someone debugging their webhook, though, so not sure if you want to maintain both options. I could see something like:

authenticate_with_mandrill_keys! 'YOUR_MANDRILL_WEBHOOK_KEY', fail_with: :not_found