fix: added webhook verify token for security

2025-01-19 22:25:23 +05:30 · 2025-01-19 22:25:23 +05:30 · 8e45656c86
commit 8e45656c86
parent 9c800417bb
2 changed files with 35 additions and 3 deletions
--- a/crm/fcrm/doctype/crm_exotel_settings/crm_exotel_settings.json
+++ b/crm/fcrm/doctype/crm_exotel_settings/crm_exotel_settings.json
@ -10,6 +10,8 @@
  "record_call",
  "section_break_kfez",
  "account_sid",
+  "column_break_qwfn",
+  "webhook_verify_token",
  "section_break_iuct",
  "api_key",
  "column_break_hyen",
@ -70,12 +72,23 @@
   "fieldname": "record_call",
   "fieldtype": "Check",
   "label": "Record Call"
+  },
+  {
+   "fieldname": "column_break_qwfn",
+   "fieldtype": "Column Break"
+  },
+  {
+   "depends_on": "enabled",
+   "fieldname": "webhook_verify_token",
+   "fieldtype": "Data",
+   "label": "Webhook Verify Token",
+   "mandatory_depends_on": "enabled"
  }
 ],
 "index_web_pages_for_search": 1,
 "issingle": 1,
 "links": [],
- "modified": "2025-01-15 19:31:00.310049",
+ "modified": "2025-01-19 22:19:20.713970",
 "modified_by": "Administrator",
 "module": "FCRM",
 "name": "CRM Exotel Settings",
--- a/crm/integrations/exotel/handler.py
+++ b/crm/integrations/exotel/handler.py
@ -1,5 +1,3 @@
-import json
-
 import bleach
 import frappe
 import requests
@ -8,10 +6,20 @@ from frappe.integrations.utils import create_request_log

 from crm.integrations.api import get_contact_by_phone_number

+# Endpoints for webhook
+
+# Incoming Call:
+# <site>/api/method/crm.integrations.exotel.handler.handle_request?key=<exotel-webhook-verify-token>
+
+# Exotel Reference:
+# https://developer.exotel.com/api/
+# https://support.exotel.com/support/solutions/articles/48283-working-with-passthru-applet
+

 # Incoming Call
@frappe.whitelist(allow_guest=True)
 def handle_request(**kwargs):
+	validate_request()
 	if not is_integration_enabled():
 		return

@ -149,6 +157,17 @@ def get_exotel_settings():
 	return frappe.get_single("CRM Exotel Settings")


+def validate_request():
+	# workaround security since exotel does not support request signature
+	# /api/method/<exotel-integration-method>?key=<exotel-webhook=verify-token>
+	webhook_verify_token = frappe.db.get_single_value("CRM Exotel Settings", "webhook_verify_token")
+	key = frappe.request.args.get('key')
+	is_valid = key and key == webhook_verify_token
+
+	if not is_valid:
+		frappe.throw(_("Unauthorized request"), exc=frappe.PermissionError)
+
+
@frappe.whitelist()
 def is_integration_enabled():
 	return frappe.db.get_single_value("CRM Exotel Settings", "enabled", True)