Remove the useless 'secret key', since it doesn't add any more security than the path.

cmd/smartswitch-server/main.go

@@ -13,10 +13,9 @@ import (
 type webhook struct {
 	Name              string
 	Path              string
-	SecretKey         string `yaml:"secret_key"`
-	NumSwitches       int    `yaml:"num_switches"`
-	MomentarySwitches []int  `yaml:"momentary_switches"`
-	SwitchStates      []int  `json:switch_states`
+	NumSwitches       int   `yaml:"num_switches"`
+	MomentarySwitches []int `yaml:"momentary_switches"`
+	SwitchStates      []int `json:switch_states`
 }
 
 func debug(msg string, args ...interface{}) {
@@ -54,23 +53,6 @@ func runServer() {
 
 func makeWebhookHandler(hook webhook) func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// authentication check
-		keys, ok := r.URL.Query()["key"]
-		if !ok || len(keys) == 0 {
-			log.Printf("No key found for webhook: %s", hook.Name)
-			http.NotFound(w, r)
-			return
-		}
-		providedKey := keys[0]
-
-		if providedKey == "" || providedKey != hook.SecretKey {
-			log.Printf("Failed to authenticate request for webhook: %s", hook.Name)
-			debug("Got key '%s', expected key '%s'", providedKey, hook.SecretKey)
-			http.NotFound(w, r)
-			return
-		}
-
-		// now actually handle the request
 		if r.Method == "GET" {
 			webhookRead(hook, w, r)
 

readme.md

@@ -14,8 +14,7 @@ The server can be configured via the following environment variables:
 The webhooks configuration file should be an array of entries with the following keys:
 
 * name - A human-readable name that explains the webhook's purpose.
-* path - The webhook will be served by the app at this path.
-* secret_key - An authentication value for reading and writing to the webhook. This must be included in all requests. (see Usage for format)
+* path - The webhook will be served by the app at this path. **Treat this as a secret value.**
 * num_switches - the number of data points / indexes expected with each POST.
 * momentary_switches - an array of any indexes that refer to 'momentary' switches.  
   The value of these indexes will be reset to 0 after the next GET request to the webhook.
@@ -37,7 +36,7 @@ And run with:
 A dockerfile is also included, along with a sample docker-compose.yml demonstrating
 how the server might be run in a containerized environment.
 
-Note that you SHOULD always run this service behind a TLS-encrypted proxy. Using plain http WILL expose your secret keys.
+Note that you SHOULD always run this service behind a TLS-encrypted proxy. Using plain http WILL expose your secrets.
 
 
 ## Usage
@@ -45,7 +44,7 @@ Note that you SHOULD always run this service behind a TLS-encrypted proxy. Using
 To read the current webhook data, simply send a GET to the webhook URL, with the `key` parameter appropriately set. Example:
 
 ```
-curl -x GET "https://example.com/WEBHOOK_PATH?key=WEBHOOK_KEY
+curl -x GET "https://example.com/WEBHOOK_PATH
 ```
 
 To write data, send a POST to the same URL, with a json-formatted body in the following format:
@@ -53,3 +52,8 @@ To write data, send a POST to the same URL, with a json-formatted body in the fo
 ```
 [value0, value1, value2, ...]
 ```
+
+
+## Future Development
+
+* Use a more robust secret than "the URL is hidden behind TLS." Maybe client-side x509 certs.

webhooks.yml.example

@@ -3,7 +3,6 @@
 # 0 again.
 - name: Momentary Switch
   path: Path_0
-  secret_key: SecretKey_0
   num_switches: 1
   momentary_switches:
     - 0
@@ -12,14 +11,12 @@
 # written value
 - name: Three Latched Switches
   path: Path_1
-  secret_key: SecretKey_1
   num_switches: 3
   momentary_switches:
 
 # The first and 3rd data point on this webhook are momentary switches. The other 3 are latched.
 - name: Mix of Types
   path: Path_2
-  secret_key: SecretKey_2
   num_switches: 5
   momentary_switches:
     - 0