LightningWeb.Plugs.WebhookAuth (Lightning v2.14.5-pre1)

View Source

A Plug to authenticate and authorize requests based on paths starting with '/i/'. It verifies the presence of correct API keys or Basic Authentication credentials.

Summary

Functions

Handles webhook auth for /i/:webhook requests.

Initializes the options.

Functions

call(conn, action)

@spec call(Plug.Conn.t(), any()) :: Plug.Conn.t()

Handles webhook auth for /i/:webhook requests.

  • CORS preflight: If the request method is OPTIONS, this plug is a no-op and returns the connection unchanged so upstream CORS handling can respond. This avoids doing DB lookups or emitting 401/404 on preflight requests.

  • Auth flow: For non-OPTIONS requests whose path matches /i/:webhook, this plug:

    1. Looks up the webhook trigger (with workflow and edges) and its webhook_auth_methods, wrapped in Lightning.Retry.with_webhook_retry/2 so transient DB errors are retried.
    2. If the trigger is missing → responds 404 {"error":"webhook_not_found"}.
    3. If auth methods are configured:
      • If credentials match → assigns :trigger and continues.
      • If credentials are present but wrong → responds 404 (hide existence).
      • If credentials are missing → responds 401.
    4. If retries exhaust due to DB issues → responds 503 with Retry-After based on WEBHOOK_RETRY_TIMEOUT_MS.

Returns the (possibly halted) connection.

init(opts)

Initializes the options.