Adding Outputs to an "Allow List"
  • 28 Dec 2022
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  This documentation version is deprecated, please click here for the latest version.

Adding Outputs to an "Allow List"

  • Dark
    Light

Article summary

At LimaCharlie, we rely on infrastructure with auto-scalers, and thus do not have static IPs nor a CIDR that you can rely on for an allow list (or "whitelisting").

Typically, the concern around adding IPs to an allow list for Outputs is based on wanting to limit abuse and ensure that data from webhooks is truly coming from LimaCharlie and not other sources. To address this, we provide a secret_key parameter that can be used as a shared secret between LimaCharlie and your webhook receiver. When we issue a webhook, we include a lc-signature header that is an HMAC of the content of the webhook using the shared secret_key.

Here is some sample JavaScript code showing how this code can be verified:

const Webhook = require('limacharlie/Webhook');

/**
 * Receives LimaCharlie.io webhooks.
 *
 * @param {!Object} req Cloud Function request context.
 * @param {!Object} res Cloud Function response context.
 */
exports.lc_cloud_func = (req, res) => {
  // Example input: {"message": "Hello!"}
  if (req.body.data === undefined) {
    // This is an error case, as we expect a form parameter "data".
    console.error('Got: ' + JSON.stringify(req.body, null, 2));
    res.status(400).send('No data defined.');
  } else {
    // First thing to do is validate this is a legitimate
    // webhook sent by limacharlie.io.
    let hookData = req.body.data;

    // This is the secret key set when creating the webhook.
    let whSecretKey = '123';

    // This is the signature sent via header, we must validate it.
    let whSignature = req.get('Lc-Signature');

    // This object will do the validation for you.
    let wh = new Webhook(whSecretKey);

    // Check the signature and return early if not valid.
    if(!wh.isSignatureValid(hookData, whSignature)) {
    console.error("Invalid signature, do not trust!");
      // Early return, 200 or an actual error if you want.
      res.status(200);
    }

    console.log("Good signature, proceed.");

    // Parse the JSON payload.
    hookData = JSON.parse(hookData);
    console.log("Parsed hook data: " + JSON.stringify(hookData, null, 2));

    // This is where you would do your own processing
    // like talking to other APIs etc.

    res.status(200);
  }
};

Was this article helpful?

What's Next