discourse/app/controllers/webhooks_controller.rb

# frozen_string_literal: true

require "openssl"

class WebhooksController < ActionController::Base

  def mailgun
    return mailgun_failure if SiteSetting.mailgun_api_key.blank?

    params["event-data"] ? handle_mailgun_new(params) : handle_mailgun_legacy(params)
  end

  def sendgrid
    events = params["_json"] || [params]
    events.each do |event|
      message_id = (event["smtp-id"] || "").tr("<>", "")
      to_address = event["email"]
      if event["event"] == "bounce".freeze
        if event["status"]["4."]
          process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
        else
          process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
        end
      elsif event["event"] == "dropped".freeze
        process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
      end
    end

    success
  end

  def mailjet
    events = params["_json"] || [params]
    events.each do |event|
      message_id = event["CustomID"]
      to_address = event["email"]
      if event["event"] == "bounce".freeze
        if event["hard_bounce"]
          process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
        else
          process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
        end
      end
    end

    success
  end

  def mandrill
    events = params["mandrill_events"]
    events.each do |event|
      message_id = event.dig("msg", "metadata", "message_id")
      to_address = event.dig("msg", "email")

      case event["event"]
      when "hard_bounce"
        process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
      when "soft_bounce"
        process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
      end
    end

    success
  end

  def postmark
    # see https://postmarkapp.com/developer/webhooks/bounce-webhook#bounce-webhook-data
    # and https://postmarkapp.com/developer/api/bounce-api#bounce-types

    message_id = params["MessageID"]
    to_address = params["Email"]
    type = params["Type"]
    case type
    when "HardBounce", "SpamNotification", "SpamComplaint"
      process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
    when "SoftBounce"
      process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
    end

    success
  end

  def sparkpost
    events = params["_json"] || [params]
    events.each do |event|
      message_event = event.dig("msys", "message_event")
      next unless message_event

      message_id   = message_event.dig("rcpt_meta", "message_id")
      to_address   = message_event["rcpt_to"]
      bounce_class = message_event["bounce_class"]
      next unless bounce_class

      bounce_class = bounce_class.to_i

      # bounce class definitions: https://support.sparkpost.com/customer/portal/articles/1929896
      if bounce_class < 80
        if bounce_class == 10 || bounce_class == 25 || bounce_class == 30
          process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
        else
          process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
        end
      end
    end

    success
  end

  def aws
    raw  = request.raw_post
    json = JSON.parse(raw)

    case json["Type"]
    when "SubscriptionConfirmation"
      Jobs.enqueue(:confirm_sns_subscription, raw: raw, json: json)
    when "Notification"
      Jobs.enqueue(:process_sns_notification, raw: raw, json: json)
    end

    success
  end

  private

  def mailgun_failure
    render body: nil, status: 406
  end

  def success
    render body: nil, status: 200
  end

  def valid_mailgun_signature?(token, timestamp, signature)
    # token is a random 50 characters string
    return false if token.blank? || token.size != 50

    # prevent replay attacks
    key = "mailgun_token_#{token}"
    return false unless Discourse.redis.setnx(key, 1)
    Discourse.redis.expire(key, 10.minutes)

    # ensure timestamp isn't too far from current time
    return false if (Time.at(timestamp.to_i) - Time.now).abs > 12.hours.to_i

    # check the signature
    signature == OpenSSL::HMAC.hexdigest("SHA256", SiteSetting.mailgun_api_key, "#{timestamp}#{token}")
  end

  def handle_mailgun_legacy(params)
    return mailgun_failure unless valid_mailgun_signature?(params["token"], params["timestamp"], params["signature"])

    event = params["event"]
    message_id = params["Message-Id"].tr("<>", "")
    to_address = params["recipient"]

    # only handle soft bounces, because hard bounces are also handled
    # by the "dropped" event and we don't want to increase bounce score twice
    # for the same message
    if event == "bounced".freeze && params["error"]["4."]
      process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
    elsif event == "dropped".freeze
      process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
    end

    success
  end

  def handle_mailgun_new(params)
    signature = params["signature"]
    return mailgun_failure unless valid_mailgun_signature?(signature["token"], signature["timestamp"], signature["signature"])

    data = params["event-data"]
    message_id = data.dig("message", "headers", "message-id")
    to_address = data["recipient"]
    severity = data["severity"]

    if data["event"] == "failed".freeze
      if severity == "temporary".freeze
        process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
      elsif severity == "permanent".freeze
        process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
      end
    end

    success
  end

  def process_bounce(message_id, to_address, bounce_score)
    return if message_id.blank? || to_address.blank?

    email_log = EmailLog.find_by(message_id: message_id, to_address: to_address)
    return if email_log.nil?

    email_log.update_columns(bounced: true)
    return if email_log.user.nil? || email_log.user.email.blank?

    Email::Receiver.update_bounce_score(email_log.user.email, bounce_score)
  end

end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

FEATURE: webhooks support for mailgun 2016-05-30 11:11:17 -04:00			`require "openssl"`

			`class WebhooksController < ActionController::Base`

			`def mailgun`
			`return mailgun_failure if SiteSetting.mailgun_api_key.blank?`

FIX: new mailgun webhooks 2019-01-31 11:52:33 -05:00			`params["event-data"] ? handle_mailgun_new(params) : handle_mailgun_legacy(params)`
FEATURE: webhooks support for mailgun 2016-05-30 11:11:17 -04:00			`end`

FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`def sendgrid`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00			`events = params["_json"] \|\| [params]`
			`events.each do \|event\|`
loosen security a bit on mailgun's webhook 2016-06-08 16:38:38 -04:00			`message_id = (event["smtp-id"] \|\| "").tr("<>", "")`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`to_address = event["email"]`
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`if event["event"] == "bounce".freeze`
			`if event["status"]["4."]`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)`
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`else`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`end`
			`elsif event["event"] == "dropped".freeze`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`end`
			`end`

FEATURE: AWS SNS bounce notifications webhooks 2019-02-13 15:26:40 -05:00			`success`
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`end`

FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00			`def mailjet`
			`events = params["_json"] \|\| [params]`
			`events.each do \|event\|`
loosen security a bit on mailgun's webhook 2016-06-08 16:38:38 -04:00			`message_id = event["CustomID"]`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`to_address = event["email"]`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00			`if event["event"] == "bounce".freeze`
			`if event["hard_bounce"]`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00			`else`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00			`end`
			`end`
			`end`

FEATURE: AWS SNS bounce notifications webhooks 2019-02-13 15:26:40 -05:00			`success`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00			`end`

FEATURE: support for mandrill webhooks 2016-06-13 06:31:01 -04:00			`def mandrill`
			`events = params["mandrill_events"]`
			`events.each do \|event\|`
Remove use of `rescue nil`. * `rescue nil` is a really bad pattern to use in our code base. We should rescue errors that we expect the code to throw and not rescue everything because we're unsure of what errors the code would throw. This would reduce the amount of pain we face when debugging why something isn't working as expexted. I've been bitten countless of times by errors being swallowed as a result during debugging sessions. 2018-03-28 04:20:08 -04:00			`message_id = event.dig("msg", "metadata", "message_id")`
			`to_address = event.dig("msg", "email")`
FEATURE: support for mandrill webhooks 2016-06-13 06:31:01 -04:00
			`case event["event"]`
			`when "hard_bounce"`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
FEATURE: support for mandrill webhooks 2016-06-13 06:31:01 -04:00			`when "soft_bounce"`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)`
FEATURE: support for mandrill webhooks 2016-06-13 06:31:01 -04:00			`end`
			`end`

FEATURE: AWS SNS bounce notifications webhooks 2019-02-13 15:26:40 -05:00			`success`
FEATURE: support for mandrill webhooks 2016-06-13 06:31:01 -04:00			`end`

add postmark webhook handling (#8919) 2020-02-11 10:09:07 -05:00			`def postmark`
			`# see https://postmarkapp.com/developer/webhooks/bounce-webhook#bounce-webhook-data`
			`# and https://postmarkapp.com/developer/api/bounce-api#bounce-types`

			`message_id = params["MessageID"]`
			`to_address = params["Email"]`
DEV: Apply rubocop (#8926) 2020-02-11 11:21:03 -05:00			`type = params["Type"]`
add postmark webhook handling (#8919) 2020-02-11 10:09:07 -05:00			`case type`
			`when "HardBounce", "SpamNotification", "SpamComplaint"`
			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
			`when "SoftBounce"`
			`process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)`
			`end`

			`success`
			`end`

FEATURE: sparkpost webhook 2016-09-27 01:13:34 -04:00			`def sparkpost`
			`events = params["_json"] \|\| [params]`
			`events.each do \|event\|`
Remove use of `rescue nil`. * `rescue nil` is a really bad pattern to use in our code base. We should rescue errors that we expect the code to throw and not rescue everything because we're unsure of what errors the code would throw. This would reduce the amount of pain we face when debugging why something isn't working as expexted. I've been bitten countless of times by errors being swallowed as a result during debugging sessions. 2018-03-28 04:20:08 -04:00			`message_event = event.dig("msys", "message_event")`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`next unless message_event`

Remove use of `rescue nil`. * `rescue nil` is a really bad pattern to use in our code base. We should rescue errors that we expect the code to throw and not rescue everything because we're unsure of what errors the code would throw. This would reduce the amount of pain we face when debugging why something isn't working as expexted. I've been bitten countless of times by errors being swallowed as a result during debugging sessions. 2018-03-28 04:20:08 -04:00			`message_id = message_event.dig("rcpt_meta", "message_id")`
			`to_address = message_event["rcpt_to"]`
			`bounce_class = message_event["bounce_class"]`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`next unless bounce_class`
FEATURE: sparkpost webhook 2016-09-27 01:13:34 -04:00
			`bounce_class = bounce_class.to_i`

			`# bounce class definitions: https://support.sparkpost.com/customer/portal/articles/1929896`
			`if bounce_class < 80`
			`if bounce_class == 10 \|\| bounce_class == 25 \|\| bounce_class == 30`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
FEATURE: sparkpost webhook 2016-09-27 01:13:34 -04:00			`else`
FIX: bounce webhooks should also use recipient address 2017-02-05 13:06:35 -05:00			`process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)`
FEATURE: sparkpost webhook 2016-09-27 01:13:34 -04:00			`end`
			`end`
			`end`

FEATURE: AWS SNS bounce notifications webhooks 2019-02-13 15:26:40 -05:00			`success`
			`end`

			`def aws`
			`raw = request.raw_post`
			`json = JSON.parse(raw)`

			`case json["Type"]`
			`when "SubscriptionConfirmation"`
			`Jobs.enqueue(:confirm_sns_subscription, raw: raw, json: json)`
			`when "Notification"`
			`Jobs.enqueue(:process_sns_notification, raw: raw, json: json)`
			`end`

			`success`
FEATURE: sparkpost webhook 2016-09-27 01:13:34 -04:00			`end`

FEATURE: webhooks support for mailgun 2016-05-30 11:11:17 -04:00			`private`

Make rubocop happy again. 2018-06-07 01:28:18 -04:00			`def mailgun_failure`
			`render body: nil, status: 406`
			`end`
FEATURE: webhooks support for mailgun 2016-05-30 11:11:17 -04:00
FEATURE: AWS SNS bounce notifications webhooks 2019-02-13 15:26:40 -05:00			`def success`
Make rubocop happy again. 2018-06-07 01:28:18 -04:00			`render body: nil, status: 200`
			`end`
FEATURE: webhooks support for mailgun 2016-05-30 11:11:17 -04:00
FIX: new mailgun webhooks 2019-01-31 11:52:33 -05:00			`def valid_mailgun_signature?(token, timestamp, signature)`
			`# token is a random 50 characters string`
			`return false if token.blank? \|\| token.size != 50`

			`# prevent replay attacks`
			`key = "mailgun_token_#{token}"`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 04:05:53 -05:00			`return false unless Discourse.redis.setnx(key, 1)`
			`Discourse.redis.expire(key, 10.minutes)`
FIX: new mailgun webhooks 2019-01-31 11:52:33 -05:00
			`# ensure timestamp isn't too far from current time`
			`return false if (Time.at(timestamp.to_i) - Time.now).abs > 12.hours.to_i`

			`# check the signature`
			`signature == OpenSSL::HMAC.hexdigest("SHA256", SiteSetting.mailgun_api_key, "#{timestamp}#{token}")`
			`end`

			`def handle_mailgun_legacy(params)`
			`return mailgun_failure unless valid_mailgun_signature?(params["token"], params["timestamp"], params["signature"])`

			`event = params["event"]`
			`message_id = params["Message-Id"].tr("<>", "")`
			`to_address = params["recipient"]`

			`# only handle soft bounces, because hard bounces are also handled`
			`# by the "dropped" event and we don't want to increase bounce score twice`
			`# for the same message`
			`if event == "bounced".freeze && params["error"]["4."]`
			`process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)`
			`elsif event == "dropped".freeze`
			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
			`end`

FEATURE: AWS SNS bounce notifications webhooks 2019-02-13 15:26:40 -05:00			`success`
FIX: new mailgun webhooks 2019-01-31 11:52:33 -05:00			`end`

			`def handle_mailgun_new(params)`
			`signature = params["signature"]`
			`return mailgun_failure unless valid_mailgun_signature?(signature["token"], signature["timestamp"], signature["signature"])`

			`data = params["event-data"]`
			`message_id = data.dig("message", "headers", "message-id")`
			`to_address = data["recipient"]`
			`severity = data["severity"]`

			`if data["event"] == "failed".freeze`
			`if severity == "temporary".freeze`
			`process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)`
			`elsif severity == "permanent".freeze`
			`process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)`
			`end`
			`end`

FEATURE: AWS SNS bounce notifications webhooks 2019-02-13 15:26:40 -05:00			`success`
Make rubocop happy again. 2018-06-07 01:28:18 -04:00			`end`
FEATURE: webhooks support for mailgun 2016-05-30 11:11:17 -04:00
Make rubocop happy again. 2018-06-07 01:28:18 -04:00			`def process_bounce(message_id, to_address, bounce_score)`
			`return if message_id.blank? \|\| to_address.blank?`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00
Make rubocop happy again. 2018-06-07 01:28:18 -04:00			`email_log = EmailLog.find_by(message_id: message_id, to_address: to_address)`
			`return if email_log.nil?`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00
Make rubocop happy again. 2018-06-07 01:28:18 -04:00			`email_log.update_columns(bounced: true)`
			`return if email_log.user.nil? \|\| email_log.user.email.blank?`
FIX: don't error out when we receive a bounce associated to a deleted user 2016-10-26 04:13:05 -04:00
Make rubocop happy again. 2018-06-07 01:28:18 -04:00			`Email::Receiver.update_bounce_score(email_log.user.email, bounce_score)`
			`end`
FEATURE: mailjet webhook 2016-06-06 13:47:45 -04:00
FEATURE: webhooks support for mailgun 2016-05-30 11:11:17 -04:00			`end`