Allow setting and sending a token for webhook processing #7
Description
Feature request
Allow setting a token to be sent with webhook POST requests from smtp2http, enabling receivers to verify the authenticity of the request. This is intended for systems where HTTP Basic Auth is not suitable, and the receiver may not process headers in the standard way.
Background:
- The first implementation supported HTTP Basic Auth using SMTP_USER and SMTP_PASSWORD.
- This works for custom systems, but some receivers cannot handle headers, so a webhook-like token flow is needed.
Proposed Solution:
- Allow the user to set a token value (via env var or config).
- When sending a webhook POST, include the token as a query parameter (e.g.,
?token=...) or in the body/payload. - Document usage and security considerations.
Security Recommendation:
- If a webhook token is configured, smtp2http should send only the token and NOT include HTTP Basic Auth in the same request. This avoids leaking SMTP_USER and SMTP_PASSWORD to endpoints that do not require them and follows best practices for webhook authentication.
- If only HTTP Basic Auth is configured (no token), then send the Authorization header.
- If neither is set, no authentication information will be sent (not recommended for production).
Use Case:
- Enables integration with services that expect a token-based webhook authentication instead of HTTP Basic Auth.
System Scenarios
| Scenario | Authorization header | Token in URL/Payload | Receiver must support |
|---|---|---|---|
| Only Basic Auth | Yes | No | HTTP Basic Auth in headers |
| Only Webhook Token | No | Yes | Token in query or payload |
| Both Auth & Token | No (see recommendation) | Yes | Token-based authentication |
| Neither set | No | No | No authentication (open) |
- As recommended, if both Basic Auth and a webhook token are configured, only the token should be sent.
- If neither is set, no authentication information will be sent, which is not recommended for production.