From a1b35909b062fbb5a70a4284bc2e831402b6c6b6 Mon Sep 17 00:00:00 2001
From: paulwer <paul@wer-ner.de>
Date: Mon, 25 Mar 2024 07:16:26 +0100
Subject: [PATCH] brevo webhook validation

---
 app/Http/Controllers/BrevoController.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/BrevoController.php b/app/Http/Controllers/BrevoController.php
index bd4f1ad59480..6a1e8ddfc0b4 100644
--- a/app/Http/Controllers/BrevoController.php
+++ b/app/Http/Controllers/BrevoController.php
@@ -13,6 +13,7 @@ namespace App\Http\Controllers;
 
 use App\Jobs\Brevo\ProcessBrevoInboundWebhook;
 use App\Jobs\Brevo\ProcessBrevoWebhook;
+use App\Libraries\MultiDB;
 use Illuminate\Http\Request;
 use Log;
 
@@ -185,8 +186,17 @@ class BrevoController extends BaseController
     {
         $input = $request->all();
 
-        // TODO: validation for client mail credentials by recipient
-        if (!($request->has('token') && $request->get('token') == config('services.brevo.secret')))
+        // validation for client mail credentials by recipient
+        if ($request->has('company')) {
+            if (!($request->has('token')))
+                return response()->json(['message' => 'Unauthorized'], 403);
+
+            $company = MultiDB::findAndSetDbByCompanyId($request->has('company'));
+            $company_brevo_secret = $company->settings?->email_sending_method === 'client_brevo' && $company->settings?->brevo_secret ? $company->settings?->brevo_secret : null;
+            if (!$company || $request->get('token') !== $company_brevo_secret)
+                return response()->json(['message' => 'Unauthorized'], 403);
+
+        } else if (!($request->has('token') && $request->get('token') == config('services.brevo.secret')))
             return response()->json(['message' => 'Unauthorized'], 403);
 
         if (!array_key_exists('items', $input)) {