X-Hub-Signature Security for WebHook/WebSub APIs

[BLasan]

A separate policy support is needed to verify the content received to the gateway from an Event Provider(Ex: Github).

User Story

1. API Publisher generates a secret for the API which is then consumed by a event source(Ex: Gihub) when sending events.
2. Deploy the API to the gateway and this configuration needs to be added as a API level policy (for all routes)
3. When an event comes to a specific route(channel in async API), gateway needs to verify the payload by generating a HMAC using the secret configured and the payload received. Then gateway should compare the value received in X-Hub-Signature header and the HMAC generated.

Approach

  policies:
    - name: verify-event-payload
      version: v0.1.0
      params:
        requestHeader:
          - action: VERIFY
             name: x-hub-signature
             secret: xxxxxxx
             signingAlgorithm: SHA1

This policy should extract the value in the x-hub-signature header and compare it with the one generated using the received payload and configured secret and signing algorithm.

[BLasan]

@renuka-fernando We need to prioritize this as the WebSub feature should be released next month for a customer

[renuka-fernando]

Hi @BLasan

The policy engine is capable of reading request/response headers and bodies, so there are no technical blockers to implementing this. Are you able to take on the policy writing, or should we assign it to someone else?

[renuka-fernando]

cc: @Krishanx92