any way to use this with an encrypted channel?

[horstepipe]

Hello
Is there any way using this with an encrypted channel?

Best regards

[geluk]

Hi @horstepipe,

Unfortunately there is not yet a way to use encrypted channels with the webhook gateway. I would like to further investigate supporting this, because I think it is a very valuable feature to have, but that will take some more time.

[horstepipe]

hi,
thanks for the answer!
are you aware of that project?
https://github.com/immanuelfodor/matrix-encrypted-webhooks
maybe you could grab some ideas/code from there.

[jthomaschewski]

Maybe this can be archived with low development effort by adding support for pantalaimon?

Looks like this slack appservice is doing that: https://matrix-appservice-slack.readthedocs.io/en/stable/bridge-encryption/
Looked at the code and it seems to me that they only added some conditionals to use pantalaimon url in some cases and the actual matrix server url in other cases.
See e.g. https://github.com/matrix-org/matrix-appservice-slack/blob/3b17bf851ea910d91d2a5bfe212d2e6a1f744077/src/Main.ts#L480

I tried setting pantalaimon as homeserver_url but that resulted in auth errors (M_UNKNOWN_TOKEN when accessing http://pantaaimon:8008/_matrix/client/r0/profile/..../avatar_url).

[geluk]

hi @jthomaschewski, thanks for the suggestion! I can't quite manage to get pantalaimon configured locally yet (I'm having some trouble with panctl), but I've pushed a small update that might allow the gateway to communicate with it.

If you'd like to test this, fetch the latest development release (docker pull geluk/matrix-webhook-gateway:dev or just clone the repository) and set pantalaimon_url in your config file (see here: https://github.com/geluk/matrix-webhook-gateway/blob/master/templates/gateway-config.yaml#L30).

[jthomaschewski]

Hi @geluk thanks for the quick response and development release!

I tested it but unfortunately it didn't work. Same behavior as with :latest Tag:

webhook-gateway start with pantalaimon:

webhook-gateway_1  |     href: 'http://pantalaimon:8008/_matrix/client/r0/profile/%40bot_webhook%3Amyserver.tld/avatar_url',
webhook-gateway_1  |     req: [Circular *11],
webhook-gateway_1  |     ntick: true,
webhook-gateway_1  |     timeoutTimer: null,
webhook-gateway_1  |     response: [Circular *11],
webhook-gateway_1  |     originalHost: 'pantalaimon:8008',
webhook-gateway_1  |     originalHostHeaderName: 'host',
webhook-gateway_1  |     responseContent: [Circular *11],
webhook-gateway_1  |     _destdata: true,
webhook-gateway_1  |     _ended: true,
webhook-gateway_1  |     _callbackCalled: true
webhook-gateway_1  |   },
webhook-gateway_1  |   toJSON: [Function: responseToJSON],
webhook-gateway_1  |   caseless: Caseless {
webhook-gateway_1  |     dict: {
webhook-gateway_1  |       'access-control-allow-headers': 'Origin, X-Requested-With, Content-Type, Accept, Authorization',
webhook-gateway_1  |       'access-control-allow-methods': 'GET, POST, PUT, DELETE, OPTIONS',
webhook-gateway_1  |       'access-control-allow-origin': '*',
webhook-gateway_1  |       'content-type': 'application/json; charset=utf-8',
webhook-gateway_1  |       'content-length': '69',
webhook-gateway_1  |       date: 'Thu, 03 Feb 2022 23:48:04 GMT',
webhook-gateway_1  |       server: 'Python/3.8 aiohttp/3.7.4.post0',
webhook-gateway_1  |       connection: 'close'
webhook-gateway_1  |     }
webhook-gateway_1  |   },
webhook-gateway_1  |   body: {
webhook-gateway_1  |     errcode: 'M_UNKNOWN_TOKEN',
webhook-gateway_1  |     error: 'Unrecognised access token.'
webhook-gateway_1  |   }
webhook-gateway_1  | }
webhook-gateway_1  | 2022-02-03 23:48:04.492  FATAL [webhook-srv] Could not start webhook-gateway

I have synapse+pantalaimon+webhook-gateway within the same docker network and pantalaimon is working fine.
I use it with matterbot which authenticated by user/password - it's not an appservice though

Pantalaimon does seem to have issues/quirks when used with appservices :(
see e.g. matrix-org/pantalaimon#107 and matrix-org/pantalaimon#84 (possible fix)

It seems to try to "sync" on startup which doesn't work for appservices due too missing access token -
As I have no knowledge of the Matrix protocol, I have no clue if its possible to workaround it somehow - or whatever matrix-appservice-slack is doing to make it work...

Btw here is my pantalaimon docker config, maybe it helps you if you wanna try:

docker-compose.yml for pantalaimon:

  pantalaimon:
    image: matrixdotorg/pantalaimon:v0.10.3
    restart: unless-stopped
    volumes:
      - pantalaimon-data:/data
      - ./pantalaimon.conf:/data/pantalaimon.conf:ro

pantalaimon.conf:

[Default]
LogLevel = Warning
SSL = True

[local-matrix]
Homeserver = https://my.homeserver.tld
ListenAddress = 0.0.0.0
ListenPort = 8008
SSL = False
UseKeyring = False
IgnoreVerification = True

With this config all docker services within the same network as pantalaimon can configure http://pantalaimon:8008 as their homeserver_url and will reach https://my.homeserver.tld with encryption support

[geluk]

Thanks for testing! I looked into it a bit further and dug around in the source code of the Slack bridge and pantalaimon, but I couldn't find any more details on how this is supposed to work with appservices. I think we may just need to have a bit more patience while appservice support in pantalaimon is implemented. It does seem like using pantalaimon is the intended way of enabling encryption in the Matrix appservice library, which is good to know.

There might be a way to get it to work yet, but finding that out could take a fair amount of digging around, which I'd rather not do. I do appreciate the suggestions, so if someone knows what else is missing here, let me know.

I'll leave the issue open for now, if there are new developments I'll take another look.