chore: Require HTTPS webhook URLs (#745)

* chore: Require HTTPS webhook URLs

* fix build

* allow localhost

Author: arcoraven

src/server/routes/contract/subscriptions/addContractSubscription.ts

@@ -20,7 +20,7 @@ import {
 } from "../../../schemas/contractSubscription";
 import { standardResponseSchema } from "../../../schemas/sharedApiSchemas";
 import { getChainIdFromChain } from "../../../utils/chain";
-import { isValidHttpUrl } from "../../../utils/validator";
+import { isValidWebhookUrl } from "../../../utils/validator";
 
 const bodySchema = Type.Object({
   chain: chainIdOrSlugSchema,
@@ -140,7 +140,7 @@ export async function addContractSubscription(fastify: FastifyInstance) {
       // Create the webhook (if provided).
       let webhookId: number | undefined;
       if (webhookUrl) {
-        if (!isValidHttpUrl(webhookUrl)) {
+        if (!isValidWebhookUrl(webhookUrl)) {
           throw createCustomError(
             "Invalid webhook URL. Make sure it starts with 'https://'.",
             StatusCodes.BAD_REQUEST,

src/server/routes/index.ts

@@ -59,7 +59,7 @@ import { pageEventLogs } from "./contract/events/paginateEventLogs";
 import { accountRoutes } from "./contract/extensions/account";
 import { accountFactoryRoutes } from "./contract/extensions/accountFactory";
 import { erc1155Routes } from "./contract/extensions/erc1155";
-import { erc20Routes } from "./contract/extensions/erc20/index";
+import { erc20Routes } from "./contract/extensions/erc20";
 import { erc721Routes } from "./contract/extensions/erc721";
 import { marketplaceV3Routes } from "./contract/extensions/marketplaceV3/index";
 import { getABI } from "./contract/metadata/abi";
@@ -105,7 +105,7 @@ import { retryTransaction } from "./transaction/retry";
 import { retryFailedTransaction } from "./transaction/retry-failed";
 import { checkTxStatus } from "./transaction/status";
 import { syncRetryTransaction } from "./transaction/syncRetry";
-import { createWebhook } from "./webhooks/create";
+import { createWebhookRoute } from "./webhooks/create";
 import { getWebhooksEventTypes } from "./webhooks/events";
 import { getAllWebhooksData } from "./webhooks/getAll";
 import { revokeWebhook } from "./webhooks/revoke";
@@ -155,7 +155,7 @@ export const withRoutes = async (fastify: FastifyInstance) => {
 
   // Webhooks
   await fastify.register(getAllWebhooksData);
-  await fastify.register(createWebhook);
+  await fastify.register(createWebhookRoute);
   await fastify.register(revokeWebhook);
   await fastify.register(getWebhooksEventTypes);
 

src/server/routes/webhooks/create.ts

@@ -6,11 +6,11 @@ import { WebhooksEventTypes } from "../../../schema/webhooks";
 import { createCustomError } from "../../middleware/error";
 import { standardResponseSchema } from "../../schemas/sharedApiSchemas";
 import { WebhookSchema, toWebhookSchema } from "../../schemas/webhook";
-import { isValidHttpUrl } from "../../utils/validator";
+import { isValidWebhookUrl } from "../../utils/validator";
 
 const requestBodySchema = Type.Object({
   url: Type.String({
-    description: "Webhook URL",
+    description: "Webhook URL. Non-HTTPS URLs are not supported.",
     examples: ["https://example.com/webhook"],
   }),
   name: Type.Optional(
@@ -23,52 +23,21 @@ const requestBodySchema = Type.Object({
 
 requestBodySchema.examples = [
   {
-    url: "https://example.com/allTxUpdate",
-    name: "All Transaction Events",
+    url: "https://example.com/webhook",
+    name: "Notify of transaction updates",
+    secret: "...",
     eventType: WebhooksEventTypes.ALL_TX,
-  },
-  {
-    url: "https://example.com/queuedTx",
-    name: "QueuedTx",
-    eventType: WebhooksEventTypes.QUEUED_TX,
-  },
-  {
-    url: "https://example.com/sentTx",
-    name: "Sent Transaction Event",
-    eventType: WebhooksEventTypes.SENT_TX,
-  },
-  {
-    url: "https://example.com/minedTx",
-    name: "Mined Transaction Event",
-    eventType: WebhooksEventTypes.MINED_TX,
-  },
-  {
-    url: "https://example.com/erroredTx",
-    name: "Errored Transaction Event",
-    eventType: WebhooksEventTypes.ERRORED_TX,
-  },
-  {
-    url: "https://example.com/cancelledTx",
-    name: "Cancelled Transaction Event",
-    eventType: WebhooksEventTypes.CANCELLED_TX,
-  },
-  {
-    url: "https://example.com/walletBalance",
-    name: "Backend Wallet Balance Event",
-    eventType: WebhooksEventTypes.BACKEND_WALLET_BALANCE,
-  },
-  {
-    url: "https://example.com/auth",
-    name: "Auth Check",
-    eventType: WebhooksEventTypes.AUTH,
+    active: true,
+    createdAt: "2024-10-02T02:07:27.255Z",
+    id: 42,
   },
 ];
 
 const responseBodySchema = Type.Object({
   result: WebhookSchema,
 });
 
-export async function createWebhook(fastify: FastifyInstance) {
+export async function createWebhookRoute(fastify: FastifyInstance) {
   fastify.route<{
     Body: Static<typeof requestBodySchema>;
     Reply: Static<typeof responseBodySchema>;
@@ -78,7 +47,7 @@ export async function createWebhook(fastify: FastifyInstance) {
     schema: {
       summary: "Create a webhook",
       description:
-        "Create a webhook to call when certain blockchain events occur.",
+        "Create a webhook to call when a specific Engine event occurs.",
       tags: ["Webhooks"],
       operationId: "createWebhook",
       body: requestBodySchema,
@@ -90,7 +59,7 @@ export async function createWebhook(fastify: FastifyInstance) {
     handler: async (req, res) => {
       const { url, name, eventType } = req.body;
 
-      if (!isValidHttpUrl(url)) {
+      if (!isValidWebhookUrl(url)) {
         throw createCustomError(
           "Invalid webhook URL. Make sure it starts with 'https://'.",
           StatusCodes.BAD_REQUEST,

src/server/schemas/webhook.ts

@@ -19,6 +19,6 @@ export const toWebhookSchema = (
   eventType: webhook.eventType,
   secret: webhook.secret,
   createdAt: webhook.createdAt.toISOString(),
-  active: webhook.revokedAt ? false : true,
+  active: !webhook.revokedAt,
   id: webhook.id,
 });

src/server/utils/validator.ts

@@ -90,10 +90,15 @@ export const checkAndReturnNFTSignaturePayload = <
   return updatedPayload;
 };
 
-export const isValidHttpUrl = (urlString: string): boolean => {
+export const isValidWebhookUrl = (input: string): boolean => {
   try {
-    const url = new URL(urlString);
-    return url.protocol === "http:" || url.protocol === "https:";
+    const url = new URL(input);
+    return (
+      url.protocol === "https:" ||
+      // Allow http for localhost only.
+      (url.protocol === "http:" &&
+        ["localhost", "0.0.0.0", "127.0.0.1"].includes(url.hostname))
+    );
   } catch {
     return false;
   }

src/tests/validator.test.ts

@@ -0,0 +1,34 @@
+import { describe, expect, it } from "vitest";
+import { isValidWebhookUrl } from "../server/utils/validator";
+
+describe("isValidWebhookUrl", () => {
+  it("should return true for a valid HTTPS URL", () => {
+    expect(isValidWebhookUrl("https://example.com")).toBe(true);
+  });
+
+  it("should return false for an HTTP URL", () => {
+    expect(isValidWebhookUrl("http://example.com")).toBe(false);
+  });
+
+  it("should return false for a URL without protocol", () => {
+    expect(isValidWebhookUrl("example.com")).toBe(false);
+  });
+
+  it("should return false for an invalid URL", () => {
+    expect(isValidWebhookUrl("invalid-url")).toBe(false);
+  });
+
+  it("should return false for a URL with a different protocol", () => {
+    expect(isValidWebhookUrl("ftp://example.com")).toBe(false);
+  });
+
+  it("should return false for an empty string", () => {
+    expect(isValidWebhookUrl("")).toBe(false);
+  });
+
+  it("should return true for a http localhost", () => {
+    expect(isValidWebhookUrl("http://localhost:3000")).toBe(true);
+    expect(isValidWebhookUrl("http://0.0.0.0:3000")).toBe(true);
+    expect(isValidWebhookUrl("http://user:pass@127.0.0.1:3000")).toBe(true);
+  });
+});