Authenticated Approval Request
R
Razzmatazz Meerkat
Currently available approval methods (Email, Teams, etc.) do not have an authentication layer. It is assumed that the recipient is allowed to approve whatever is being sent their way. The approval is just a simple webhook that does not output any information, which makes auditing difficult.
As an example, if email forwarding is setup when a user is on vacation, an approval could end up in the wrong hands.
Having the ability to send an approval, but also authenticate would be extremely helpful, as currently there is no way to determine who approved something.
Ideally, specifying a specific list of Rewst users who can approve something on a per workflow basis, along with outputting who approved it, would make changes much easier to track.
Log In
D
Danial Gagne
Merged in a post:
Webhook Security - Restrict to Rewst Users
S
Sanguine brown Moth
We can currently secure webhooks by header secret (x-rewst-secret), secret URL param, or source IP (X-Forwarded-For). These are all great options for programmatic access (where secrets can be rotated regularly), but they don't work for humans. Now webhooks aren't really designed for humans to use, so why is this an issue? It's because Rewst is advising humans to use webhooks...
We onboarding in late 2023. Part of that process was unpacking 2 crates: "Comprehensive Rewst Forms List" and "Organizational Setup Report". These both output human-readable HTML reports via a webhook. At the time, I assumed these were protected with the same Entra/Google account restrictions as Forms. Turns out, I was wrong. They're wide open to the internet. Anybody that gets ahold of that static URL can get a list of all our clients, Rewst user emails, integrations we use, our IdPs, and all our org variables. This is Security through Obscurity (CWE-656), and is not a good practice.
FEATURE REQUEST: Add the ability for webhooks to be protected in the same way forms are restricted to authorized Entra/Google users. Obviously, we don’t want this enabled on all webhooks. But it should be an option that we can enable on human-facing webhook triggers, like the aforementioned crates.
F
Fashionable Shrimp
I think instead, we should see these report workflows replaced with the app platform. I can only assume the app platform will support crates so I’m hoping we just get new versions use that rather than web hooks.