Mambu Banking Engine

Ideas aimed to improve the current experience provided by the Mambu Banking Engine.

Add API key security when calling MPO processes using Mambu webhooks

SUMMARY: As an integrator, I want to securely call MPO processes using the Corezoid API keys so that my processes are secure.

WHAT: When creating webhooks in Mambu the only security options are basic authentication or no authentication. This means there is no way to directly call MPO processes without leaving the MPO process with no authentication. MPO uses API keys as detailed here https://doc.corezoid.com/docs/en/add-tasks and https://doc.corezoid.com/docs/protocol-description.

WHY: Leaving MPO processes without authentication leaves the risk that unapproved users can trigger these processes. As Basic Authentication is a simple authentication scheme it would be more secure if webhooks can utilize the stronger authentication method offered by MPO.

HOW: MPO uses API keys as detailed here https://doc.corezoid.com/docs/en/add-tasks and https://doc.corezoid.com/docs/protocol-description.

Below is some example code to build the MPO request items:

var moment = require('moment');

var unixtime = moment().unix();

var secret = pm.environment.get("apiKey");

var procId = pm.environment.get("processID");

var body = request.data;

pm.environment.set("GMT_UNIXTIME", unixtime);

var signature = CryptoJS.SHA1(unixtime + secret + body + secret);

pm.environment.set("SIGNATURE", CryptoJS.enc.Hex.stringify(signature));

Dev-less solution:

MPO proceses call a third party application with basic authentication, for example on AWS Lambda. This third party application calls the MPO process with API key security.

  • Kevin Boyle
  • Oct 15 2020
  • Attach files