Added a hash to the HTTP callback URLs

Author: matt-aitken

apps/webapp/app/presenters/v3/WaitpointListPresenter.server.ts

@@ -12,7 +12,7 @@ import { BasePresenter } from "./basePresenter.server";
 import { type WaitpointSearchParams } from "~/components/runs/v3/WaitpointTokenFilters";
 import { determineEngineVersion } from "~/v3/engineVersion.server";
 import { type WaitpointTokenStatus, type WaitpointTokenItem } from "@trigger.dev/core/v3";
-import { generateWaitpointCallbackUrl } from "./WaitpointPresenter.server";
+import { generateHttpCallbackUrl } from "~/services/httpCallback.server";
 
 const DEFAULT_PAGE_SIZE = 25;
 
@@ -24,6 +24,7 @@ export type WaitpointListOptions = {
       id: string;
       engine: RunEngineVersion;
     };
+    apiKey: string;
   };
   resolver: WaitpointResolver;
   // filters
@@ -267,7 +268,7 @@ export class WaitpointListPresenter extends BasePresenter {
       success: true,
       tokens: tokensToReturn.map((token) => ({
         id: token.friendlyId,
-        callbackUrl: generateWaitpointCallbackUrl(token.id),
+        callbackUrl: generateHttpCallbackUrl(token.id, environment.apiKey),
         status: waitpointStatusToApiStatus(token.status, token.outputIsError),
         completedAt: token.completedAt ?? undefined,
         timeoutAt: token.completedAfter ?? undefined,

apps/webapp/app/presenters/v3/WaitpointPresenter.server.ts

@@ -5,6 +5,7 @@ import { type RunListItem, RunListPresenter } from "./RunListPresenter.server";
 import { waitpointStatusToApiStatus } from "./WaitpointListPresenter.server";
 import { WaitpointId } from "@trigger.dev/core/v3/isomorphic";
 import { env } from "~/env.server";
+import { generateHttpCallbackUrl } from "~/services/httpCallback.server";
 
 export type WaitpointDetail = NonNullable<Awaited<ReturnType<WaitpointPresenter["call"]>>>;
 
@@ -24,6 +25,7 @@ export class WaitpointPresenter extends BasePresenter {
         environmentId,
       },
       select: {
+        id: true,
         friendlyId: true,
         type: true,
         status: true,
@@ -45,6 +47,11 @@ export class WaitpointPresenter extends BasePresenter {
           take: 5,
         },
         tags: true,
+        environment: {
+          select: {
+            apiKey: true,
+          },
+        },
       },
     });
 
@@ -89,7 +96,7 @@ export class WaitpointPresenter extends BasePresenter {
       resolver: waitpoint.resolver,
       callbackUrl:
         waitpoint.resolver === "HTTP_CALLBACK"
-          ? generateWaitpointCallbackUrl(waitpoint.friendlyId)
+          ? generateHttpCallbackUrl(waitpoint.id, waitpoint.environment.apiKey)
           : undefined,
       status: waitpointStatusToApiStatus(waitpoint.status, waitpoint.outputIsError),
       idempotencyKey: waitpoint.idempotencyKey,
@@ -108,9 +115,3 @@ export class WaitpointPresenter extends BasePresenter {
     };
   }
 }
-
-export function generateWaitpointCallbackUrl(waitpointId: string) {
-  return `${
-    env.API_ORIGIN ?? env.APP_ORIGIN
-  }/api/v1/waitpoints/http-callback/${WaitpointId.toFriendlyId(waitpointId)}/callback`;
-}

apps/webapp/app/routes/api.v1.waitpoints.http-callback.$waitpointFriendlyId.callback.ts renamed to apps/webapp/app/routes/api.v1.waitpoints.http-callback.$waitpointFriendlyId.callback.$hash.ts

@@ -8,11 +8,13 @@ import { WaitpointId } from "@trigger.dev/core/v3/isomorphic";
 import { z } from "zod";
 import { $replica } from "~/db.server";
 import { env } from "~/env.server";
+import { verifyHttpCallbackHash } from "~/services/httpCallback.server";
 import { logger } from "~/services/logger.server";
 import { engine } from "~/v3/runEngine.server";
 
 const paramsSchema = z.object({
   waitpointFriendlyId: z.string(),
+  hash: z.string(),
 });
 
 export async function action({ request, params }: ActionFunctionArgs) {
@@ -25,20 +27,31 @@ export async function action({ request, params }: ActionFunctionArgs) {
     return json({ error: "Request body too large" }, { status: 413 });
   }
 
-  const { waitpointFriendlyId } = paramsSchema.parse(params);
+  const { waitpointFriendlyId, hash } = paramsSchema.parse(params);
   const waitpointId = WaitpointId.toId(waitpointFriendlyId);
 
   try {
     const waitpoint = await $replica.waitpoint.findFirst({
       where: {
         id: waitpointId,
       },
+      include: {
+        environment: {
+          select: {
+            apiKey: true,
+          },
+        },
+      },
     });
 
     if (!waitpoint) {
       throw json({ error: "Waitpoint not found" }, { status: 404 });
     }
 
+    if (!verifyHttpCallbackHash(waitpoint.id, hash, waitpoint.environment.apiKey)) {
+      throw json({ error: "Invalid URL, hash doesn't match" }, { status: 401 });
+    }
+
     if (waitpoint.status === "COMPLETED") {
       return json<CompleteWaitpointTokenResponseBody>({
         success: true,

apps/webapp/app/routes/engine.v1.waitpoints.http-callback.ts

@@ -4,14 +4,12 @@ import {
   CreateWaitpointTokenRequestBody,
 } from "@trigger.dev/core/v3";
 import { WaitpointId } from "@trigger.dev/core/v3/isomorphic";
-import { env } from "~/env.server";
 import { createWaitpointTag, MAX_TAGS_PER_WAITPOINT } from "~/models/waitpointTag.server";
 import {
   ApiWaitpointListPresenter,
   ApiWaitpointListSearchParams,
 } from "~/presenters/v3/ApiWaitpointListPresenter.server";
-import { generateWaitpointCallbackUrl } from "~/presenters/v3/WaitpointPresenter.server";
-import { type AuthenticatedEnvironment } from "~/services/apiAuth.server";
+import { generateHttpCallbackUrl } from "~/services/httpCallback.server";
 import {
   createActionApiRoute,
   createLoaderApiRoute,
@@ -84,7 +82,7 @@ const { action } = createActionApiRoute(
       return json<CreateWaitpointHttpCallbackResponseBody>(
         {
           id: WaitpointId.toFriendlyId(result.waitpoint.id),
-          url: generateWaitpointCallbackUrl(result.waitpoint.id),
+          url: generateHttpCallbackUrl(result.waitpoint.id, authentication.environment.apiKey),
           isCached: result.isCached,
         },
         { status: 200 }

apps/webapp/app/services/apiRateLimit.server.ts

@@ -59,7 +59,7 @@ export const apiRateLimiter = authorizationRateLimitMiddleware({
     "/api/v1/usage/ingest",
     "/api/v1/auth/jwt/claims",
     /^\/api\/v1\/runs\/[^\/]+\/attempts$/, // /api/v1/runs/$runFriendlyId/attempts
-    /^\/api\/v1\/waitpoints\/http-callback\/[^\/]+\/callback$/, // /api/v1/waitpoints/http-callback/$waitpointFriendlyId/callback
+    /^\/api\/v1\/waitpoints\/http-callback\/[^\/]+\/callback\/[^\/]+$/, // /api/v1/waitpoints/http-callback/$waitpointFriendlyId/callback/$hash
   ],
   log: {
     rejections: env.API_RATE_LIMIT_REJECTION_LOGS_ENABLED === "1",

apps/webapp/app/services/httpCallback.server.ts

@@ -0,0 +1,30 @@
+import { WaitpointId } from "@trigger.dev/core/v3/isomorphic";
+import nodeCrypto from "node:crypto";
+import { env } from "~/env.server";
+
+export function generateHttpCallbackUrl(waitpointId: string, apiKey: string) {
+  const hash = generateHttpCallbackHash(waitpointId, apiKey);
+
+  return `${
+    env.API_ORIGIN ?? env.APP_ORIGIN
+  }/api/v1/waitpoints/http-callback/${WaitpointId.toFriendlyId(waitpointId)}/callback/${hash}`;
+}
+
+function generateHttpCallbackHash(waitpointId: string, apiKey: string) {
+  const hmac = nodeCrypto.createHmac("sha256", apiKey);
+  hmac.update(waitpointId);
+  return hmac.digest("hex");
+}
+
+export function verifyHttpCallbackHash(waitpointId: string, hash: string, apiKey: string) {
+  const expectedHash = generateHttpCallbackHash(waitpointId, apiKey);
+
+  if (
+    hash.length === expectedHash.length &&
+    nodeCrypto.timingSafeEqual(Buffer.from(hash, "hex"), Buffer.from(expectedHash, "hex"))
+  ) {
+    return true;
+  }
+
+  return false;
+}