Add JWT verification for attachment route

README.md

@@ -8,6 +8,7 @@ This repository provides a Discord bot that syncs forum posts with Zendesk ticke
 - [Zendesk Discord Integration](#zendesk-discord-integration)
   - [Environment Variables](#environment-variables)
     - [`SITE`](#site)
+    - [`JWT_SECRET`](#jwt_secret)
     - [`PUSH` (optional but recommended)](#push-optional-but-recommended)
     - [`QDRANT_URL` (optional)](#qdrant_url-optional)
     - [`OPENAI_KEY` (optional)](#openai_key-optional)
@@ -28,6 +29,10 @@ You'll need to set the following environment variables, either in your command l
 
 The site on which you'll be hosting the Zendesk channel server and Discord bot (e.g. `SITE=https://somesubdomain.sourcegraph.com`).
 
+### `JWT_SECRET`
+
+A passphrase used to sign JWTs.
+
 ### `PUSH` (optional but recommended)
 
 The unique identifier of an OAuth client created under `Apps and integrations > APIs > Zendesk API > OAuth Clients`. Note that this is not a user authenticated interaction, so no redirect URL is required when creating this OAuth client.

package.json

@@ -16,6 +16,7 @@
     "ejs": "^3.1.9",
     "express": "^4.18.2",
     "form-data": "^4.0.0",
+    "jsonwebtoken": "^9.0.1",
     "openai": "^3.3.0"
   },
   "devDependencies": {
@@ -24,6 +25,7 @@
     "@sourcegraph/tsconfig": "^4.0.1",
     "@types/body-parser": "^1.19.2",
     "@types/express": "^4.17.17",
+    "@types/jsonwebtoken": "^9.0.2",
     "@types/node-zendesk": "^2.0.11",
     "jszip": "^3.10.1",
     "ts-node": "^10.9.1",

src/bot.ts

@@ -15,6 +15,7 @@ import {
     MessageType,
 } from 'discord.js'
 import dotenv from 'dotenv'
+import jwt from 'jsonwebtoken'
 import { Configuration, OpenAIApi } from 'openai'
 
 import { ChannelbackRequest, ClickthroughRequest, ExternalResource, Metadata } from './zendesk'
@@ -155,7 +156,10 @@ export async function createBot(params: BotParams): Promise<Bot> {
                     },
                 ],
                 file_urls: starter.attachments.map(
-                    attachment => `${process.env.SITE!}/attachment/${encodeURIComponent(attachment.url)}`
+                    attachment =>
+                        `${process.env.SITE!}/attachment/${encodeURIComponent(
+                            attachment.url
+                        )}?token=${encodeURIComponent(jwt.sign(attachment.url, process.env.JWT_SECRET!))}`
                 ),
             })
 
@@ -271,7 +275,10 @@ export async function createBot(params: BotParams): Promise<Bot> {
             internal_note: false,
             allow_channelback: true,
             file_urls: interaction.attachments.map(
-                attachment => `${process.env.SITE!}/attachment/${encodeURIComponent(attachment.url)}`
+                attachment =>
+                    `${process.env.SITE!}/attachment/${encodeURIComponent(attachment.url)}?token=${encodeURIComponent(
+                        jwt.sign(attachment.url, process.env.JWT_SECRET!)
+                    )}`
             ),
         })
     })

src/index.ts

@@ -2,13 +2,14 @@ import axios from 'axios'
 import bodyParser from 'body-parser'
 import dotenv from 'dotenv'
 import express from 'express'
+import jwt from 'jsonwebtoken'
 
 import { Bot, createBot } from './bot'
 import { ChannelbackRequest, ExternalResource, Metadata } from './zendesk'
 
 dotenv.config()
 
-if (!process.env.SITE) {
+if (!process.env.SITE || !process.env.JWT_SECRET) {
     console.log('bad config')
     process.exit(1)
 }
@@ -27,7 +28,15 @@ app.use(bodyParser.json())
 app.use(bodyParser.urlencoded({ extended: true }))
 
 app.all('/attachment/(*)', async (req, res) => {
+    if (typeof req.query.token !== 'string') {
+        res.status(403).send('Missing token')
+        return
+    }
+
     try {
+        const token = jwt.verify(req.query.token, process.env.JWT_SECRET!)
+        if (token !== req.params[0]) throw new Error('Mismatch')
+
         const { data } = await axios.get(req.params[0], {
             responseType: 'stream',
             timeout: 10_000,