[feat] webhook payload signature verification

[cauethenorio]

Currently, when my application receives the webhook payload sent by free-email-forwarding there's no way to validate the request authenticity.

It would be nice if it has some validation field, like the signature one which mailgun uses in their webhooks:
https://documentation.mailgun.com/en/latest/user_manual.html?highlight=signature#webhooks

Thanks for building this awesome project and making it open-source @niftylettuce!

[niftylettuce]

You could verify the request came from mx1.forwardemail.net or mx2.forwardemail.net resolved IP addresses. I will add a signature or something as soon I can. Trying to ship the browser extension among other things. Thanks for raising this point @cauethenorio.

[m4rvr]

Hey @niftylettuce, is this still on the roadmap or are there other solutions for that now?

[titanism]

Will see what we can do!

[titanism]

Another solution is to just check that the IP resolved that it's coming from resolves to mx1.forwardemail.net or mx2.forwardemail.net in a reverse lookup. You can get the IP's specifically from dig mx1.forwardemail.net a or dig mx2.forwardemail.net a, so you could hard code it's from those specific IP addresses (or hostname in reverse lookup).

[m4rvr]

Thanks for your fast response. Checking the IP works for me. :)