Conversation
Adds X-Internal-Auth-Token header to webhook requests when calling core-api internal endpoints. Token is read from INTERNAL_AUTH_TOKEN env var and only included if set (for dev compatibility).
📝 WalkthroughWalkthroughThree webhook POST requests now conditionally include an internal authorization header ( Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@src/lib/auth.ts`:
- Around line 139-144: Only attach the X-Internal-Auth-Token header when the
target webhook URL is trusted: parse the webhook URL (e.g., the
WELCOME_EMAIL_WEBHOOK_URL or the url variable used where headers are built),
validate its hostname against an allowlist provided via an env var (e.g.,
INTERNAL_AUTH_TRUSTED_HOSTS as a comma-separated list) or a simple internal-host
check, and only then include process.env.INTERNAL_AUTH_TOKEN in the headers;
otherwise omit the header. Implement this check where headers are constructed
(the code that currently builds the headers object with 'Content-Type' and
optionally 'X-Internal-Auth-Token') so the header injection is gated by the
validated hostname.
| headers: { | ||
| 'Content-Type': 'application/json', | ||
| ...(process.env.INTERNAL_AUTH_TOKEN && { | ||
| 'X-Internal-Auth-Token': process.env.INTERNAL_AUTH_TOKEN, | ||
| }), | ||
| }, |
There was a problem hiding this comment.
Scope the internal token to trusted webhook URLs.
Right now the token is attached whenever INTERNAL_AUTH_TOKEN is set, regardless of the webhook target. If WELCOME_EMAIL_WEBHOOK_URL is misconfigured or redirected to an external host, this leaks the internal token. Consider gating header injection to an allowlist of internal hosts (e.g., from an env var) or validating the URL before attaching the header.
🤖 Prompt for AI Agents
In `@src/lib/auth.ts` around lines 139 - 144, Only attach the
X-Internal-Auth-Token header when the target webhook URL is trusted: parse the
webhook URL (e.g., the WELCOME_EMAIL_WEBHOOK_URL or the url variable used where
headers are built), validate its hostname against an allowlist provided via an
env var (e.g., INTERNAL_AUTH_TRUSTED_HOSTS as a comma-separated list) or a
simple internal-host check, and only then include
process.env.INTERNAL_AUTH_TOKEN in the headers; otherwise omit the header.
Implement this check where headers are constructed (the code that currently
builds the headers object with 'Content-Type' and optionally
'X-Internal-Auth-Token') so the header injection is gated by the validated
hostname.
2 participants
Adds
X-Internal-Auth-Tokenheader to webhook requests when calling core-api internal endpoints.Changes
INTERNAL_AUTH_TOKENfrom env varContext
Required for core-api PR #19 (security audit) which adds validation of this token on the receiving end.
Deployment
After merge, set
INTERNAL_AUTH_TOKENenv var in staging/prod (pulled from Bitwardeninternal-auth-tokenfield).Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.