Syndicate endpoint: Support multiple methods of supplying a token

[paulrobertlloyd]

Finally spent some time investigating how to use JWT/JWS tokens in Netlify’s webhook feature.

Rather than provide a token in the URLs query string (the token for which expires after 90 days), you can instead provide a secret token. This would be saved as an environment variable for your Indiekit server to use (WEBHOOK_SECRET¹) and this same value would be supplied for ‘JWS secret token’ in Netlify’s outgoing webhook form.

If a secret token is provided, Netlify will send a signature in the X-Webhook-Signature header. Indiekit will see this, verify it can be signed with the shared secret, and then generate a short lived (10 minutes) access token with only the update scope. In addition, the me value will be taken from the url value provided in the webhook body from Netlify.

This means that, the verified token supplied by the X-Webhook-Signature header:

• MUST use SHA256 algorithm
• MUST be have an issuer value of netlify
• MUST be signed using the same secret token

In addition, the webhook will only syndicate if the URL matches that provided in an Indiekit server’s configuration (publication.me).

Hopefully this method is a little more convenient, and saves sharing an access token with Netlify. It does mean saving another environment variable, however.

A bearer token can be provided in a token query string, or using the access_token form body value.

The syndication endpoint is also no longer behind authentication; no posts can be updated as the Micropub endpoint remains behind authentication (and can only be authenticated using a valid access token, or one generated using a webhook signature as described above).

Footnotes

1. WEBHOOK_SECRET or NETLIFY_SECRET 🤔 ↩

[paulrobertlloyd]

@sentience Feel free to chime in with any feedback. Once this is merged, I think syndication should work properly again, and also be easier to set up and maintain.