Skip to content

jeysal/ifttt-webhook-shield

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits

flow-typed/npm

flow-typed/npm

 
 

src

src

 
 

.babelrc.js

.babelrc.js

 
 

.editorconfig

.editorconfig

 
 

.eslintrc

.eslintrc

 
 

.flowconfig

.flowconfig

 
 

.gitignore

.gitignore

 
 

.jestrc

.jestrc

 
 

.travis.yml

.travis.yml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

appveyor.yml

appveyor.yml

 
 

package.json

package.json

 
 

server.js

server.js

 
 

vercel.json

vercel.json

 
 

yarn.lock

yarn.lock

 
 

Repository files navigation

ifttt-webhook-shield

IFTTT webhook URLs without embedded maker key

build status AppVeyor build status code coverage

license

The problem

IFTTT webhooks are a great tool for integrating IFTTT with anything that supports HTTP.
However, they have a small shortcoming: You cannot give a link to anyone without compromising your IFTTT maker key, because it is embedded in the URL: https://maker.ifttt.com/trigger/<event>/with/key/<here it is>
If you were to, say, stick a NFC tag somewhere in your home, with an IFTTT webhook link on it to toggle one of your smart light bulbs so visitors can turn the lights on and off by holding their phone up against it, you would enable them to trigger any arbitrary webhook event - including the one that orders you new items worth 1000$, unlocks your front door or does whatever else you may have configured - because they have your key now.

The solution

Do not give anyone a direct webhook link with your key embedded in it - instead, give them links that are authenticated, but only for one specific event.

This application creates an HTTP server that accepts requests to /<event>/<digest>, but only forwards them to IFTTT if the digest is a valid HMAC (sha256) over the event, using a secret that you gave the application. Your actual IFTTT maker key is only available to this server, not to anyone who gets a link to trigger webhook events.

Configuration

The following environment variables need to be set:

  • PORT (the server port, default 8080)
  • MAKER_KEY (your IFTTT maker key from here)
  • HMAC_SECRET (a sufficiently large and random secret, see "Running")

Running

WARNING: If you make the server available to more than just your private network, you should definitely put an HTTPS proxy in front of it.

Node.js and npm are required.
Clone this repository to your machine, then run:

npm install
npm run build
head -c128 /dev/random >secret
MAKER_KEY=YOURKEYHERE HMAC_SECRET="$(cat secret)" npm start

If you visit localhost:8080/abc/xyz now, you should be greeted with a nice invalid digest message.

So how can we trigger the webhook event abc now? OpenSSL is really good at calculating digests, so we'll just use that:

echo -n abc | openssl dgst -hex -sha256 -hmac "$(cat secret)"

This should output (stdin)= <digest>. Use that digest to navigate to localhost:8080/abc/<digest>. This time, you should see Congratulations! You've fired the abc event, indicating that the request was successful. If you give the URL you used here to somebody else, they will only be able to trigger this particular event on your IFTTT maker channel.

Vercel

This application is ready for deployment on the Vercel platform. If you deploy there, your IFTTT webhook shield will instantly be globally available behind a secure HTTPS proxy.

Set up Vercel and then generate a secret as shown above. Then, instead of npm starting locally, create the required vercel secrets and deploy:

vercel secrets add ifttt-maker-key YOURKEYHERE
vercel secrets add ifttt-webhook-shield-hmac-secret "$(cat secret)"
vercel

About

IFTTT webhook URLs without embedded maker key

Topics

webhooks proxy webhook hmac ifttt shield forward

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages