iachat/app/policies
Shivam Mishra 95463230cb
feat: sign webhooks for API channel and agentbots (#13892)
Account webhooks sign outgoing payloads with HMAC-SHA256, but agent bot
and API inbox webhooks were delivered unsigned. This PR adds the same
signing to both.

Each model gets a dedicated `secret` column rather than reusing the
agent bot's `access_token` (for API auth back into Chatwoot) or the API
inbox's `hmac_token` (for inbound contact identity verification). These
serve different trust boundaries and shouldn't be coupled — rotating a
signing secret shouldn't invalidate API access or contact verification.

The existing `Webhooks::Trigger` already signs when a secret is present,
so the backend change is just passing `secret:` through to the jobs.
Shared token logic is extracted into a `WebhookSecretable` concern
included by `Webhook`, `AgentBot`, and `Channel::Api`. The frontend
reuses the existing `AccessToken` component for secret display. Secrets
are admin-only and excluded from enterprise audit logs.

### How to test

Point an agent bot or API inbox webhook URL at a request inspector. Send
a message and verify `X-Chatwoot-Signature` and `X-Chatwoot-Timestamp`
headers are present. Reset the secret from settings and confirm
subsequent deliveries use the new value.

---------

Co-authored-by: Sojan Jose <sojan@pepalo.com>
2026-04-06 15:28:25 +05:30
..
captain feat: new Captain Editor (#13235) 2026-01-21 13:39:07 +05:30
account_policy.rb feat: Add AI credit topup flow for Stripe (#12988) 2025-12-02 17:53:44 -08:00
agent_bot_policy.rb feat: sign webhooks for API channel and agentbots (#13892) 2026-04-06 15:28:25 +05:30
application_policy.rb chore: Update dependencies (#1173) 2020-09-08 11:24:08 +05:30
article_policy.rb chore: Clean up report & knowledge base policies (#11234) 2025-04-03 16:00:32 -07:00
assignment_policy_policy.rb feat: Add assignment policies controllers with jbuilder views (#12199) 2025-08-18 19:15:21 -07:00
automation_rule_policy.rb feat: common attachment endpoint follow-up changes (#7826) 2023-09-01 15:18:48 +07:00
campaign_policy.rb feat: Add APIs for Campaigns (#2175) 2021-04-29 22:23:32 +05:30
category_policy.rb feat(help-center): enable drag-and-drop category reordering (#13706) 2026-03-05 12:53:38 +05:30
contact_policy.rb feat: Contact Exports (#7258) 2023-06-13 09:18:43 +05:30
conversation_policy.rb chore: Enforce custom role permissions on conversation access (#12583) 2025-10-22 20:23:37 -07:00
csat_survey_response_policy.rb fix: Allow users with report_manage permission to access CSAT reports (#11625) 2025-05-29 12:09:03 -06:00
custom_filter_policy.rb fix: set custom filter count in redis (#7164) 2023-06-19 16:10:03 +05:30
hook_policy.rb feat: Ability to improve drafts in the editor using GPT integration (#6957) 2023-04-24 23:52:23 +05:30
inbox_policy.rb feat: sign webhooks for API channel and agentbots (#13892) 2026-04-06 15:28:25 +05:30
label_policy.rb Feature: Improve label experience (#975) 2020-06-25 21:04:03 +05:30
macro_policy.rb feat: common attachment endpoint follow-up changes (#7826) 2023-09-01 15:18:48 +07:00
portal_policy.rb feat(cloud): Add support for viewing status of SSL in custom domains (#12011) 2025-07-30 10:52:47 -07:00
report_policy.rb chore: Clean up report & knowledge base policies (#11234) 2025-04-03 16:00:32 -07:00
team_member_policy.rb chore: Update method for team members (#1734) 2021-02-09 19:21:31 +05:30
team_policy.rb feat: Team APIs (#1654) 2021-01-17 23:56:56 +05:30
user_policy.rb feat: allow bulk invite create via email (#8853) 2024-02-06 09:04:04 +05:30
webhook_policy.rb Feature: Ability to switch between multiple accounts (#881) 2020-05-26 22:38:48 +05:30