f4e0808a87
Previously, the botserver would accept any message sent to it. This was a security hazard, since an attacker could impersonate arbitrary users with arbitrary messages. We only want the Zulip instance where a bot is registered to be able to send out messages for that bot. To do this, this commits adds a check for the security token associated with each outgoing webhook bot. For each bot, its token is stored in the botserverrc file. The server sends the token along with each message.
11 lines
173 B
Plaintext
11 lines
173 B
Plaintext
[helloworld]
|
|
key=value
|
|
email=helloworld-bot@zulip.com
|
|
site=http://localhost
|
|
token=abcd1234
|
|
[giphy]
|
|
key=value2
|
|
email=giphy-bot@zulip.com
|
|
site=http://localhost
|
|
token=abcd1234
|