🔒️ secure /chatwoot endpoint behind api key when using -k #2362

Author: smashah

src/cli/index.ts

@@ -100,13 +100,6 @@ async function start() {
             }
         })
 
-        if(cliConfig?.chatwootUrl){
-            spinner.info('Setting Up Chatwoot handler');
-            spinner.info('Make sure to set up the Chatwoot inbox webhook to the following path on this process: /chatwoot');
-            await setupChatwoot(cliConfig, client);
-            spinner.succeed('Chatwoot handler set up successfully');
-        }
-
         if(cliConfig?.botPressUrl){
             spinner.info('Setting Up Botpress handler');
             setupBotPressHandler(cliConfig, client)
@@ -138,6 +131,13 @@ async function start() {
                 setupAuthenticationLayer(cliConfig)
             }
 
+            if(cliConfig?.chatwootUrl){
+                spinner.info('Setting Up Chatwoot handler');
+                spinner.info(`Make sure to set up the Chatwoot inbox webhook to the following path on this process: /chatwoot${cliConfig.key ? `?api_key=YOUR-API-KEY` : ''}`);
+                await setupChatwoot(cliConfig, client);
+                spinner.succeed('Chatwoot handler set up successfully');
+            }
+
             setupRefocusDisengageMiddleware(cliConfig)
 
             if (cliConfig && cliConfig.generateApiDocs && collections["swagger"]) {

src/cli/server.ts

@@ -50,7 +50,9 @@ export const setupAuthenticationLayer : (cliConfig : cliFlags) => void = (cliCon
             return next();
         }
         const apiKey = req.get('key') || req.get('api_key')
-        if (!apiKey || apiKey !== cliConfig.key) {
+        if (req.path.includes('chatwoot') && req.query['api_key'] && req.query['api_key'] == cliConfig.key) {
+            next();
+        } else if (!apiKey || apiKey !== cliConfig.key) {
             res.status(401).json({ error: 'unauthorised' })
         } else {
             next()