Describe the bug

Critical Security Vulnerability: Webhook Endpoints Lack Authentication and Signature Verification. The generic webhook controller, which handles all user defined webhooks for triggering workflows, is configured with skipAuth: true. This makes the endpoints public. Furthermore, there is no signature verification mechanism to validate the authenticity of incoming requests.

Vulnerability
This lack of authentication allows any individual with knowledge of a valid flowId to trigger the associated workflow. This exposes the application to several severe risks without requiring any authentication.

Impact

A malicious actor can exploit this vulnerability.

Attacker can repeatedly call a webhook endpoint, consuming server resources, potentially leading to service unavailability and incurring high operational costs. If a workflow interacts with a database or other data stores, an attacker can trigger it with malicious payloads, leading to data corruption, deletion, or unauthorized modifications. An attacker can trigger workflows that perform sensitive actions, such as sending emails, interacting with third party APIs, or otherwise manipulating the system's state.

Vulnerable Code
The WEBHOOK_PARAMS constant within the controller sets skipAuth: true.

workflow/packages/backend/api/src/app/webhooks/webhook-controller.ts

To Reproduce
Navigate to the workflow creation page in the application. Create a new workflow and select Webhook as the trigger. Add a simple second step, such as "Send Email" or a basic "No-Op" code step, so the execution is visible. Save and enable the workflow.

For the trigger, select the "Webhook" trigger. This will generate a unique URL for the webhook, which includes a flowId. The URL will look something like this: https://api.aixblock.io/v1/webhooks/<flowId>

After this Execute an Unauthenticated Request, Open a terminal on any machine that does not have an active, authenticated session with the application.

Execute the following curl command, replacing {flowId} with the ID you copied in the previous step.

curl -X POST \
      -H "Content-Type: application/json" \
      -d '{"test_payload": "This request is not authenticated"}' \
      https://api.aixblock.io/v1/webhooks/{flowId}

Present behavior
The server will immediately respond with an HTTP 200 OK status code. Navigating to the workflow's run history in the application UI will show that the workflow was successfully triggered by this unauthenticated request.

Expected Result
The server should reject the request with an HTTP 401 Unauthorized or 403 Forbidden status code, as it was not signed or sent with valid authentication credentials. The workflow should not be executed.

Fix

Modify the webhook-controller.ts to verify a signature on every incoming request.

The client sending the webhook must use the secret to create a signature. The controller must recalculate the signature on the server side and compare it to the one in the header. If the signature is missing or invalid, the request must be rejected.