Security update - July-2021: Restricting Server Method Invocation (SMI) requests made to Serverless event handlers

Dear Freshworks App Developers,

We hope this update finds you in health and safety.

As we continue to invest in improving the security posture of your platform, we would like to share an update regarding an upcoming change with respect to what Serverless Apps developers should expect and prepare for.

Starting July 25 2021, a Server Method Invocation (SMI) cannot by default invoke a method mapped as a handler to a Serverless Event (either a Product / App Setup / Scheduled / External event) in server.js.

The example below demonstrates a setup that is no longer permitted.

Serverless component

// Restriction to access product event handler methods via SMI

exports = {
  events: [{ event: "onTicketCreate", callback: "onTicketCreateCallback" }],
  onTicketCreateCallback: function (payload) {
    console.log("Logging arguments from onTicketCreate event: " + JSON.stringify(payload));

Frontend component

var options = {};

// The following invocation to onTicketCreateCallback is restricted

client.request.invoke("onTicketCreateCallback", options).then(function (data) {}, function (error) {} );

Apps that try to invoke an event handler should expect an error with status code 404.

This security update is applicable for both new and existing apps in all the products starting July 25, 2021.

If you have tried to reuse an event handler this way for an SMI invocation, we recommend refactoring your source code to ensure SMI has its own method to invoke separately. We understand that you may need some time to update your apps to adapt to this expectation. If you are unable to update your app by July 25, please reach out to us via Dev-Assist portal so that we can temporarily whitelist your app to not be impacted by this change.

We will be announcing more capabilities around SMI and the reuse of code within the Freshworks Serverless App framework in the coming weeks to make this more seamless.


One question,

This only applies for the methods mapped?
I mean, if I invoke a method that is not mapped to any event, I can trust will be working in a regular way right?



Hi @neri,

Yes, your understanding is correct. The app will continue to work if the app invokes a function that is not mapped to any Serverless event.

1 Like