Feat(webhook_listeners): add auth tokens to webhook call

[janepie]

Summary

Needed for Windmill integration.

This code adds an option to ask for authentication tokens when registering a webhook. The requested tokens will be added to the dispatched request to the defined endpoint.

All tokens generated with this have a lifetime of 1 hour and will be deleted after that in a background job every 5 min.

Tokens can be requested in the tokenNeeded parameter, which accepts listed values in the two fields "user_ids" and "user_roles".
"user_ids" is a list of user uids for which tokens are needed, "user_roles" is a list of roles (users not defined by their ID but by the role they have in the webhook event) for which tokens can be included. Possible roles: "owner" for the user creating the webhook, "trigger" for the user triggering the webhook call.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

[julien-nc]

From you branch, at the top of server, you can run

composer i
# you might wanna revert what it does to lib/composer
git checkout ./lib/composer/
composer run cs:check ./apps/webhook_listeners/lib
# or if you have Php 8.4 like me and it's refused by php-cs
PHP_CS_FIXER_IGNORE_ENV=1 composer run cs:check ./apps/webhook_listeners/lib
# and if you want to fix the syntax issues:
composer run cs:fix ./apps/webhook_listeners/lib

(for later) To implement the token expiration mechanism you might need a new table where you store

• the token ID
• the webhook ID
• if needed, the token creation timestamp

[oleksandr-nc]

Who will revoke generated token once it is not needed? Will we revoke it in the server repo or in the Windmill integration app itself?

Another question related to previous: If the token was generated for user bob first time, and then second time the flow was triggered - should we create a new token for user bob or update the olds token expiration time?

[julien-nc]

@oleksandr-nc

Who will revoke generated token once it is not needed?

IMO the tokens should be revoked by a background job in webhook_listeners.

should we create a new token for user bob or update the olds token expiration time?

I think it's clearer and cleaner if we have independent tokens for each webhook "call". If the token generated for the first run leaks for some reason, it's bad if we make it live longer.

[oleksandr-nc]

IMO the tokens should be revoked by a background job in webhook_listeners.

This definetly should be added as a comment to the code.

[julien-nc]

Yep, this PR is still WIP. This is planned.

[come-nc]

One last nitpick.

[come-nc]

Suggested change

	$this->deleteByTokenId($token->getTokenId()); // delete db row in webhook_tokens
	$this->delete($token); // delete db row in webhook_tokens

I think we do not need to delete by token id? I think the method deleteByTokenId can even be removed.
On big instances it may matter to delete by the entity id which is more likely to be indexed.

[janepie]

Ah right, didn't know that this delete method exists magically when writing that. Will change and test, thanks!

[janepie]

@AndyScherzinger can you force-merge? Cypress setup not behaving