Deploy: 2026-05-21 18:06:46

backend/app/Controllers/WhatsAppController.php

@@ -52,7 +52,10 @@ class WhatsAppController extends BaseController
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
         curl_setopt($ch, CURLOPT_POST, true);
         curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
-        curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
+        curl_setopt($ch, CURLOPT_HTTPHEADER, [
+            'Content-Type: application/json',
+            'X-Webhook-Secret: ' . getenv('WEBHOOK_SECRET')
+        ]);
         curl_setopt($ch, CURLOPT_TIMEOUT, 5);
         $result = curl_exec($ch);
         $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
@@ -92,7 +95,10 @@ class WhatsAppController extends BaseController
             curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
             curl_setopt($ch, CURLOPT_POST, true);
             curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
-            curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
+            curl_setopt($ch, CURLOPT_HTTPHEADER, [
+                'Content-Type: application/json',
+                'X-Webhook-Secret: ' . getenv('WEBHOOK_SECRET')
+            ]);
             curl_setopt($ch, CURLOPT_TIMEOUT, 5);
             curl_exec($ch);
             curl_close($ch);

whatsapp-gateway/baileys-client.js

@@ -12,7 +12,7 @@ if (!fs.existsSync(SESSIONS_DIR)) {
     fs.mkdirSync(SESSIONS_DIR, { recursive: true });
 }
 
-const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET || 'YOUR_SECRET_KEY_HERE';
+const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;
 
 async function sendWebhook(webhook_url, payload) {
     try {
@@ -64,7 +64,7 @@ async function startSession(session_key, webhook_url) {
             const statusCode = lastDisconnect?.error?.output?.statusCode;
             const shouldReconnect = statusCode !== DisconnectReason.loggedOut;
             console.log(`Session ${session_key} connection closed. Reconnect: ${shouldReconnect}`);
-            
+
             if (shouldReconnect) {
                 // Try reconnecting after a short delay
                 sessions.delete(session_key);
@@ -80,8 +80,8 @@ async function startSession(session_key, webhook_url) {
         } else if (connection === 'open') {
             console.log(`Session ${session_key} connected successfully!`);
             // Parse phone number from the JID (e.g. 9665XXXXXXX@s.whatsapp.net)
-            const phone = sock.user.id.split(':')[0]; 
-            
+            const phone = sock.user.id.split(':')[0];
+
             await sendWebhook(webhook_url, {
                 session_key,
                 state: 'connected',
@@ -96,10 +96,10 @@ async function startSession(session_key, webhook_url) {
 async function disconnectSession(session_key) {
     const sock = sessions.get(session_key);
     if (sock) {
-        try { sock.logout(); } catch (e) {} // best effort
+        try { sock.logout(); } catch (e) { } // best effort
         sessions.delete(session_key);
     }
-    
+
     // Completely wipe the auth directory so a fresh session can be created next time
     const sessionFolder = path.join(SESSIONS_DIR, session_key);
     if (fs.existsSync(sessionFolder)) {

whatsapp-gateway/server.js

@@ -28,11 +28,20 @@ app.use(express.json());
 
 const PORT = process.env.PORT || 3722;
 
-// Health check endpoint
+// Health check endpoint (Public)
 app.get('/health', (req, res) => {
     res.json({ status: 'healthy', service: 'Nabeh WhatsApp Gateway' });
 });
 
+// Security Middleware: Protect all /api/ routes
+app.use('/api', (req, res, next) => {
+    const secret = req.header('X-Webhook-Secret');
+    if (!process.env.WEBHOOK_SECRET || secret !== process.env.WEBHOOK_SECRET) {
+        return res.status(403).json({ error: 'Unauthorized gateway access' });
+    }
+    next();
+});
+
 // Start or retrieve a session
 app.post('/api/sessions/start', async (req, res) => {
     const { session_key, webhook_url } = req.body;