You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to make it configurable how Secret Hmac Key, passed to email webhook provider's configuration is interpreted.
Currently it's interpreted as text but we need a way to pass Base-64 encoded binary value because of AWS KMS requirements. Potentially more cloud cryptography services may need it.
🎤 Why is this feature needed ?
tl;dr;
AWS KMS requires binary HMAC secret key which is impossible to be entered as plain text in email webhook provider's configuration.
We are using AWS KMS in order to validate HMAC in lambdas invoked by email webhook provider. The HMAC is generated by Novu provider using following function:
there is not 3rd parameter passed to createHmac so it interprets the hmacSecretKey as string.
It seems to not be a problem when you use crypto directly in your verification code but in order to make our system more secure, we decided to not retrieve the HMAC secret key to our lambda. Instead we offload the HMAC verification to AWS KMS service. When you upload HMAC secret key there, it's impossible to be retrieved so even if our infrastructure is compromised, the HMAC secret key is still safe.
When we import HMAC secret key to AWS KMS, it has some requirements. One of them is that the HMAC secret key can't be a string (plaintext) key. Usually what you do to generate your HMAC secret key is:
While the *.b64 contains the key in a readable form of: fka6JxM3aAzrK6usPTV46l52W9KpNvUtqPe3oENkpwg= (base-64 encoded), the *.bin is far from being readable containing non-printable characters.
All it means that:
Novu signs the body with HMAC secret key interpreted as string, generating HMAC
The email webhook provider calls our lambda
We pass the generated HMAC to AWS KMS in order to verify it's valid
AWS KMS rejects it because it internally interprets the HMAC secret key as binary
✌️ How do you aim to achieve this?
On email webhook provider configuration view, below the text field, some control should be added with following options:
Text (selected by default)
Base-64
HEX
The selection should be persisted in DB
The selection should be used when computeHmac function in the provider is executed. Example for Base-64:
Workaround is to use crypto directly in our lambda which makes us more vulnerable if the infrastructure is compromised & the HMAC secret key leaks outside.
👀 Have you spent some time to check if this feature request has been raised before?
🔖 Feature description
We would like to make it configurable how Secret Hmac Key, passed to email webhook provider's configuration is interpreted.
Currently it's interpreted as text but we need a way to pass Base-64 encoded binary value because of AWS KMS requirements. Potentially more cloud cryptography services may need it.
🎤 Why is this feature needed ?
tl;dr;
AWS KMS requires binary HMAC secret key which is impossible to be entered as plain text in email webhook provider's configuration.
We are using AWS KMS in order to validate HMAC in lambdas invoked by email webhook provider. The HMAC is generated by Novu provider using following function:
there is not 3rd parameter passed to
createHmac
so it interprets thehmacSecretKey
as string.It seems to not be a problem when you use
crypto
directly in your verification code but in order to make our system more secure, we decided to not retrieve the HMAC secret key to our lambda. Instead we offload the HMAC verification to AWS KMS service. When you upload HMAC secret key there, it's impossible to be retrieved so even if our infrastructure is compromised, the HMAC secret key is still safe.When we import HMAC secret key to AWS KMS, it has some requirements. One of them is that the HMAC secret key can't be a string (plaintext) key. Usually what you do to generate your HMAC secret key is:
While the
*.b64
contains the key in a readable form of:fka6JxM3aAzrK6usPTV46l52W9KpNvUtqPe3oENkpwg=
(base-64 encoded), the*.bin
is far from being readable containing non-printable characters.All it means that:
✌️ How do you aim to achieve this?
On email webhook provider configuration view, below the text field, some control should be added with following options:
The selection should be persisted in DB
The selection should be used when
computeHmac
function in the provider is executed. Example for Base-64:🔄️ Additional Information
Workaround is to use
crypto
directly in our lambda which makes us more vulnerable if the infrastructure is compromised & the HMAC secret key leaks outside.👀 Have you spent some time to check if this feature request has been raised before?
🏢 Have you read the Code of Conduct?
Are you willing to submit PR?
Yes I am willing to submit a PR!
The text was updated successfully, but these errors were encountered: