hubot-webhook

Generic Webhook plugin for Hubot

Description

This hubot script sends incoming messages to a remote Webhook URL as an HTTP POST request, and if there's a response back from the webhook, renders the text as a reply.

The remote webhook has a compatibility with Slack's Custom Slash Commands, and the POST body would look like:

room_id=1&
room_name=chatroom&
user_id=123&
user_name=miyagawa&
text=hello+world

The response body will be rendered as a reply when the response is 200. Any non-200 response will be ignored.

Installation

> npm install --save hubot-webhook

Configuration

HUBOT_WEBHOOK_URL

HUBOT_WEBHOOK_URL is a required environment variable to set the webhook endpoint.

> export HUBOT_WEBHOOK_URL=https://your-handler.herokuapp.com/

HUBOT_WEBHOOK_COMMANDS

By default, all incoming messages addressed to Hubot will be sent to the Webhook URL:

miyagawa> hubot weather 94107
# -> POST ${HUBOT_WEBHOOK_URL} ...&text=weather+94107

If you want to limit the commands, you can set them in HUBOT_WEBHOOK_COMMANDS as a comma-separated list.

> export HUBOT_WEBHOOK_COMMANDS=weather,stock,deploy

miyagawa> hubot weather 94107
# -> command=weather&text=94107

miyagawa> hubot stock $AAPL
# -> command=stock&text=$AAPL

miyagawa> hubot deploy production master
# -> command=deploy&text=production+master

miyagawa> hubot hello
# (ignored)

Hubot's aliasing feature would be useful if you want it act like a slash command:

> export HUBOT_ALIAS=/

miyagawa> /weather 94107
# -> command=weather&text=94107

HUBOT_WEBHOOK_PARAMS

To identify the incoming HTTP requests from other bot instances, you can set a static, extra list of parameter(s) in HUBOT_WEBHOOK_PARAMS that will be sent to the webhook URL along with the message.

> export HUBOT_WEBHOOK_PARAMS="token=1234567890"

HUBOT_WEBHOOK_HMAC_SECRET

To verify that the request comes from this bot, you can set an HMAC secret key that should be shared between Hubot and the receiver.

> export HUBOT_WEBHOOK_HMAC_SECRET=a068a22dbe1b0a577d3800a3233f5a23693ae920

miyagawa> /weather 94107
# -> POST ...
#    X-Webhook-Signature: sha1=dbdadeb3c4615399acd809cfb0d996ba0f31db41

The signature is generated using HMAC's hexdigest using SHA1 algorithm, in such a way (in Node):

var crypto = require('crypto');
'sha1=' + crypto.createHmac('sha1', 'SECRET').update(post_body).digest('hex');

If you're using Ruby, the same signature can be generated as:

require 'openssl'
'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), 'SECRET', post_body)

See also how to validate GitHub's webhooks which uses the same technique, but with a different header name.

HUBOT_WEBHOOK_METHOD

You can set HUBOT_WEBHOOK_METHOD to GET to send the webhook as a GET rather than a POST request.

Author

Tatsuhiko Miyagawa

License

MIT