🚀 Feature: Configurable HMAC encoding type in email webhook provider

[szbartnik]

🔖 Feature description

We would like to make it configurable how Secret Hmac Key, passed to email webhook provider's configuration is interpreted.

Currently it's interpreted as text but we need a way to pass Base-64 encoded binary value because of AWS KMS requirements. Potentially more cloud cryptography services may need it.

🎤 Why is this feature needed ?

tl;dr;
AWS KMS requires binary HMAC secret key which is impossible to be entered as plain text in email webhook provider's configuration.

We are using AWS KMS in order to validate HMAC in lambdas invoked by email webhook provider. The HMAC is generated by Novu provider using following function:

computeHmac(payload: string): string {
    return crypto
      .createHmac('sha256', this.config.hmacSecretKey)
      .update(payload, 'utf-8')
      .digest('hex');
  }

there is not 3rd parameter passed to createHmac so it interprets the hmacSecretKey as string.

It seems to not be a problem when you use crypto directly in your verification code but in order to make our system more secure, we decided to not retrieve the HMAC secret key to our lambda. Instead we offload the HMAC verification to AWS KMS service. When you upload HMAC secret key there, it's impossible to be retrieved so even if our infrastructure is compromised, the HMAC secret key is still safe.

When we import HMAC secret key to AWS KMS, it has some requirements. One of them is that the HMAC secret key can't be a string (plaintext) key. Usually what you do to generate your HMAC secret key is:

openssl rand -out HMAC_256_PlaintextKey.bin 32
openssl enc -base64 -A -in HMAC_256_PlaintextKey.bin -out HMAC_256_PlaintextKey.b64

While the *.b64 contains the key in a readable form of: fka6JxM3aAzrK6usPTV46l52W9KpNvUtqPe3oENkpwg= (base-64 encoded), the *.bin is far from being readable containing non-printable characters.

All it means that:

1. Novu signs the body with HMAC secret key interpreted as string, generating HMAC
2. The email webhook provider calls our lambda
3. We pass the generated HMAC to AWS KMS in order to verify it's valid
4. AWS KMS rejects it because it internally interprets the HMAC secret key as binary

✌️ How do you aim to achieve this?

1. On email webhook provider configuration view, below the text field, some control should be added with following options:

   • Text (selected by default)
   • Base-64
   • HEX

2. The selection should be persisted in DB

3. The selection should be used when computeHmac function in the provider is executed. Example for Base-64:

   computeHmac(payload: string): string {
       return crypto
         .createHmac('sha256', this.config.hmacSecretKey, { encoding: 'base64' })
         .update(payload, 'utf-8')
         .digest('hex');
     }

🔄️ Additional Information

Workaround is to use crypto directly in our lambda which makes us more vulnerable if the infrastructure is compromised & the HMAC secret key leaks outside.

👀 Have you spent some time to check if this feature request has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Contributing Guidelines

Are you willing to submit PR?

Yes I am willing to submit a PR!

[szbartnik]

Any updates on it? We are happy to create a PR. Do you think the issue makes sense?