Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-06-23 20:00:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

brevo webhook validation

Browse Source
This commit is contained in:
paulwer 2024-03-25 07:16:26 +01:00
parent 1db0350273
commit a1b35909b0
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/Http/Controllers/BrevoController.php
View File

@ -13,6 +13,7 @@ namespace App\Http\Controllers;
use App\Jobs\Brevo\ProcessBrevoInboundWebhook; use App\Jobs\Brevo\ProcessBrevoInboundWebhook;
use App\Jobs\Brevo\ProcessBrevoWebhook; use App\Jobs\Brevo\ProcessBrevoWebhook;
use App\Libraries\MultiDB;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Log; use Log;
@ -185,8 +186,17 @@ class BrevoController extends BaseController
{ {
$input = $request->all(); $input = $request->all();
// TODO: validation for client mail credentials by recipient // validation for client mail credentials by recipient
if (!($request->has('token') && $request->get('token') == config('services.brevo.secret'))) if ($request->has('company')) {
if (!($request->has('token')))
return response()->json(['message' => 'Unauthorized'], 403);
$company = MultiDB::findAndSetDbByCompanyId($request->has('company'));
$company_brevo_secret = $company->settings?->email_sending_method === 'client_brevo' && $company->settings?->brevo_secret ? $company->settings?->brevo_secret : null;
if (!$company || $request->get('token') !== $company_brevo_secret)
return response()->json(['message' => 'Unauthorized'], 403);
} else if (!($request->has('token') && $request->get('token') == config('services.brevo.secret')))
return response()->json(['message' => 'Unauthorized'], 403); return response()->json(['message' => 'Unauthorized'], 403);
if (!array_key_exists('items', $input)) { if (!array_key_exists('items', $input)) {