flow_chat 0.4.1 → 0.5.1

data/SECURITY.md

@@ -0,0 +1,365 @@
+# FlowChat Security Guide
+
+This guide covers the security features and best practices for FlowChat, including webhook signature validation and simulator authentication.
+
+## Overview
+
+FlowChat includes comprehensive security features to protect your WhatsApp and USSD applications:
+
+- **Webhook Signature Validation**: Verify that WhatsApp webhooks are authentic
+- **Simulator Authentication**: Secure access to the testing simulator
+- **Configuration Validation**: Prevent insecure configurations
+- **Environment-Specific Security**: Different security levels per environment
+
+## WhatsApp Webhook Security
+
+### Signature Validation
+
+FlowChat automatically validates WhatsApp webhook signatures using HMAC-SHA256 to ensure requests come from WhatsApp.
+
+#### Required Configuration
+
+For webhook signature validation, you need to configure your WhatsApp app secret:
+
+```ruby
+# Using Rails credentials
+rails credentials:edit
+```
+
+```yaml
+whatsapp:
+  app_secret: "your_whatsapp_app_secret"
+  # ... other credentials
+```
+
+Or using environment variables:
+
+```bash
+export WHATSAPP_APP_SECRET="your_whatsapp_app_secret"
+```
+
+#### Security Modes
+
+FlowChat supports two security modes for webhook validation:
+
+**1. Full Security (Recommended for Production)**
+
+```ruby
+config = FlowChat::Whatsapp::Configuration.new
+config.app_secret = "your_whatsapp_app_secret"  # Required
+config.skip_signature_validation = false        # Default: enforce validation
+```
+
+**2. Development Mode (Testing Only)**
+
+```ruby
+config = FlowChat::Whatsapp::Configuration.new
+config.app_secret = nil                         # Not required when disabled
+config.skip_signature_validation = true         # Explicitly disable validation
+```
+
+⚠️ **Security Warning**: Never disable signature validation in production environments.
+
+#### Configuration Error Handling
+
+When `app_secret` is missing and validation is not explicitly disabled, FlowChat raises a `ConfigurationError`:
+
+```ruby
+begin
+  processor.run WelcomeFlow, :main_page
+rescue FlowChat::Whatsapp::ConfigurationError => e
+  Rails.logger.error "Security configuration error: #{e.message}"
+  head :internal_server_error
+end
+```
+
+The error message provides clear guidance:
+
+```
+WhatsApp app_secret is required for webhook signature validation. 
+Either configure app_secret or set skip_signature_validation=true to explicitly disable validation.
+```
+
+### Environment-Specific Security
+
+Configure different security levels per environment:
+
+```ruby
+# config/initializers/flowchat.rb
+case Rails.env
+when 'development'
+  # Relaxed security for easier development
+  config.skip_signature_validation = true
+  
+when 'test'
+  # Skip validation for deterministic testing
+  config.skip_signature_validation = true
+  
+when 'staging', 'production'
+  # Full security for production-like environments
+  config.skip_signature_validation = false
+  
+  # Ensure app_secret is configured
+  if ENV['WHATSAPP_APP_SECRET'].blank?
+    raise "WHATSAPP_APP_SECRET required for #{Rails.env} environment"
+  end
+end
+```
+
+## Simulator Security
+
+### Authentication System
+
+The FlowChat simulator uses secure HMAC-SHA256 signed cookies for authentication. This prevents unauthorized access to your simulator endpoints.
+
+#### Required Configuration
+
+Configure a simulator secret in your initializer:
+
+```ruby
+# config/initializers/flowchat.rb
+FlowChat::Config.simulator_secret = "your_secure_secret_here"
+```
+
+#### Environment-Specific Secrets
+
+Use different secrets per environment:
+
+```ruby
+case Rails.env
+when 'development', 'test'
+  # Use Rails secret key with environment suffix
+  FlowChat::Config.simulator_secret = Rails.application.secret_key_base + "_#{Rails.env}"
+  
+when 'staging', 'production'
+  # Use environment variable for production
+  FlowChat::Config.simulator_secret = ENV['FLOWCHAT_SIMULATOR_SECRET']
+  
+  if FlowChat::Config.simulator_secret.blank?
+    Rails.logger.warn "FLOWCHAT_SIMULATOR_SECRET not configured. Simulator will be unavailable."
+  end
+end
+```
+
+#### Cookie Security
+
+Simulator cookies are automatically configured with security best practices:
+
+- **HMAC-SHA256 signed**: Prevents tampering
+- **24-hour expiration**: Limits exposure window
+- **Secure flag**: Only sent over HTTPS in production
+- **HttpOnly flag**: Prevents XSS access
+- **SameSite=Lax**: CSRF protection
+
+#### Enabling Simulator Mode
+
+Enable simulator mode only when needed:
+
+```ruby
+# Enable simulator only in development/staging
+enable_simulator = Rails.env.development? || Rails.env.staging?
+
+processor = FlowChat::Whatsapp::Processor.new(self, enable_simulator: enable_simulator) do |config|
+  config.use_gateway FlowChat::Whatsapp::Gateway::CloudApi
+  config.use_session_store FlowChat::Session::CacheSessionStore
+end
+```
+
+### Simulator Request Flow
+
+1. **User visits simulator**: Browser requests `/simulator`
+2. **Cookie generation**: Server generates HMAC-signed cookie
+3. **Simulator requests**: Include valid cookie for authentication
+4. **Cookie validation**: Server validates HMAC signature and timestamp
+5. **Request processing**: Continues if authentication succeeds
+
+## Security Best Practices
+
+### Production Checklist
+
+✅ **WhatsApp Security**
+- Configure `app_secret` for webhook validation
+- Set `skip_signature_validation = false`
+- Use environment variables for secrets
+- Handle `ConfigurationError` exceptions
+
+✅ **Simulator Security**  
+- Configure `simulator_secret` using environment variables
+- Enable simulator only in development/staging
+- Use unique secrets per environment
+
+✅ **Environment Configuration**
+- Different security levels per environment
+- Fail fast on missing required configuration
+- Log security warnings appropriately
+
+✅ **Error Handling**
+- Catch and log `ConfigurationError` exceptions
+- Return appropriate HTTP status codes
+- Don't expose sensitive information in errors
+
+### Development Guidelines
+
+**DO:**
+- Use Rails `secret_key_base` + suffix for development secrets
+- Skip webhook validation in development for easier testing
+- Enable simulator mode for testing
+- Use test-specific credentials in test environment
+
+**DON'T:**
+- Hardcode secrets in source code
+- Disable security in production
+- Use production secrets in development
+- Commit secrets to version control
+
+### Example Secure Configuration
+
+```ruby
+# config/initializers/flowchat.rb
+case Rails.env
+when 'development'
+  FlowChat::Config.simulator_secret = Rails.application.secret_key_base + "_dev"
+  FlowChat::Config.whatsapp.message_handling_mode = :simulator
+  
+when 'test'
+  FlowChat::Config.simulator_secret = "test_secret_#{Rails.application.secret_key_base}"
+  FlowChat::Config.whatsapp.message_handling_mode = :simulator
+  
+when 'staging'
+  FlowChat::Config.simulator_secret = ENV.fetch('FLOWCHAT_SIMULATOR_SECRET')
+  FlowChat::Config.whatsapp.message_handling_mode = :inline
+  
+when 'production'
+  FlowChat::Config.simulator_secret = ENV.fetch('FLOWCHAT_SIMULATOR_SECRET')
+  FlowChat::Config.whatsapp.message_handling_mode = :background
+  FlowChat::Config.whatsapp.background_job_class = 'WhatsappMessageJob'
+end
+```
+
+## Testing Security Features
+
+### Webhook Signature Validation Tests
+
+```ruby
+test "webhook accepts valid signature" do
+  payload = valid_webhook_payload.to_json
+  signature = OpenSSL::HMAC.hexdigest(
+    OpenSSL::Digest.new("sha256"),
+    "your_app_secret",
+    payload
+  )
+
+  post "/whatsapp/webhook",
+    params: payload,
+    headers: { 
+      "Content-Type" => "application/json",
+      "X-Hub-Signature-256" => "sha256=#{signature}" 
+    }
+
+  assert_response :success
+end
+
+test "webhook rejects invalid signature" do
+  post "/whatsapp/webhook", 
+    params: valid_webhook_payload,
+    headers: { "X-Hub-Signature-256" => "sha256=invalid_signature" }
+
+  assert_response :unauthorized
+end
+
+test "webhook rejects missing signature" do
+  post "/whatsapp/webhook", params: valid_webhook_payload
+  assert_response :unauthorized
+end
+```
+
+### Simulator Authentication Tests
+
+```ruby
+test "simulator requires valid authentication" do
+  post "/whatsapp/webhook", params: {
+    simulator_mode: true,
+    # ... webhook payload
+  }
+
+  assert_response :unauthorized  # No valid simulator cookie
+end
+
+test "simulator accepts valid authentication" do
+  # Generate valid simulator cookie
+  timestamp = Time.now.to_i
+  message = "simulator:#{timestamp}"
+  signature = OpenSSL::HMAC.hexdigest(
+    OpenSSL::Digest.new("sha256"), 
+    FlowChat::Config.simulator_secret, 
+    message
+  )
+  
+  post "/whatsapp/webhook", 
+    params: { simulator_mode: true, /* ... */ },
+    cookies: { flowchat_simulator: "#{timestamp}:#{signature}" }
+
+  assert_response :success
+end
+```
+
+## Troubleshooting
+
+### Common Issues
+
+**1. ConfigurationError: app_secret required**
+
+```
+WhatsApp app_secret is required for webhook signature validation.
+```
+
+**Solution**: Configure `WHATSAPP_APP_SECRET` environment variable or disable validation explicitly.
+
+**2. Invalid webhook signature**
+
+```
+Invalid webhook signature received
+```
+
+**Solution**: Verify your `app_secret` matches your WhatsApp app configuration.
+
+**3. Simulator authentication failed**
+
+```
+Invalid simulator cookie format
+```
+
+**Solution**: Ensure `FlowChat::Config.simulator_secret` is properly configured.
+
+**4. Missing simulator secret**
+
+```
+Simulator secret not configured
+```
+
+**Solution**: Set `FLOWCHAT_SIMULATOR_SECRET` environment variable or configure in initializer.
+
+### Debug Mode
+
+Enable debug logging for security events:
+
+```ruby
+# config/initializers/flowchat.rb
+if Rails.env.development?
+  FlowChat::Config.logger.level = Logger::DEBUG
+end
+```
+
+This will log security validation attempts and help troubleshoot configuration issues.
+
+## Security Updates
+
+This security system was introduced in FlowChat v2.0.0 and includes:
+
+- HMAC-SHA256 webhook signature validation
+- Secure simulator authentication with signed cookies  
+- Environment-specific security configuration
+- Comprehensive error handling and logging
+- Timing-attack resistant signature comparison
+
+For the latest security updates and recommendations, check the FlowChat changelog and security advisories. 

data/examples/initializer.rb

@@ -19,6 +19,22 @@ FlowChat::Config.cache = Rails.cache
 # Configure logger (optional)
 FlowChat::Config.logger = Rails.logger
 
+# Configure simulator security (REQUIRED for simulator mode)
+# This secret is used to authenticate simulator requests via signed cookies
+case Rails.env
+when 'development', 'test'
+  # Use Rails secret key with environment suffix for development
+  FlowChat::Config.simulator_secret = Rails.application.secret_key_base + "_#{Rails.env}"
+when 'staging', 'production'
+  # Use environment variable for production security
+  FlowChat::Config.simulator_secret = ENV['FLOWCHAT_SIMULATOR_SECRET']
+  
+  # Fail fast if simulator secret is not configured but might be needed
+  if FlowChat::Config.simulator_secret.blank?
+    Rails.logger.warn "FLOWCHAT_SIMULATOR_SECRET not configured. Simulator mode will be unavailable."
+  end
+end
+
 # Configure USSD pagination (optional)
 FlowChat::Config.ussd.pagination_page_size = 140
 FlowChat::Config.ussd.pagination_back_option = "0"
@@ -28,4 +44,43 @@ FlowChat::Config.ussd.pagination_next_text = "More"
 
 # Configure resumable sessions (optional)
 FlowChat::Config.ussd.resumable_sessions_enabled = true
-FlowChat::Config.ussd.resumable_sessions_timeout_seconds = 300 # 5 minutes 
+FlowChat::Config.ussd.resumable_sessions_timeout_seconds = 300 # 5 minutes
+
+# Configure WhatsApp message handling mode based on environment
+case Rails.env
+when 'development'
+  # Development: Use simulator mode for easy testing
+  FlowChat::Config.whatsapp.message_handling_mode = :simulator
+  
+when 'test'
+  # Test: Use simulator mode for deterministic testing
+  FlowChat::Config.whatsapp.message_handling_mode = :simulator
+  
+when 'staging'
+  # Staging: Use inline mode for real WhatsApp testing
+  FlowChat::Config.whatsapp.message_handling_mode = :inline
+  
+when 'production'
+  # Production: Use background mode for high volume
+  FlowChat::Config.whatsapp.message_handling_mode = :background
+  FlowChat::Config.whatsapp.background_job_class = 'WhatsappMessageJob'
+end
+
+# Configure per-environment WhatsApp security
+# Note: These are global defaults. You can override per-configuration in your controllers.
+
+# Example of per-environment WhatsApp security configuration:
+# 
+# For development/test: You might want to disable signature validation for easier testing
+# For staging: Enable validation to match production behavior  
+# For production: Always enable validation for security
+#
+# Individual WhatsApp configurations can override these settings:
+#
+# config = FlowChat::Whatsapp::Configuration.new
+# config.access_token = "your_token"
+# config.app_secret = "your_app_secret"              # Required for webhook validation
+# config.skip_signature_validation = false           # false = validate signatures (recommended)
+#
+# Development override example:
+# config.skip_signature_validation = Rails.env.development? # Only skip in development

data/examples/media_prompts_examples.rb

@@ -9,7 +9,7 @@ class MediaPromptFlow < FlowChat::Flow
   def main_page
     # ✅ Simple text input with attached image
     # The prompt text becomes the image caption
-    feedback = app.screen(:feedback) do |prompt|
+    app.screen(:feedback) do |prompt|
       prompt.ask "What do you think of our new product?",
         media: {
           type: :image,
@@ -25,4 +25,3 @@ class MediaPromptFlow < FlowChat::Flow
       }
   end
 end
-

data/examples/multi_tenant_whatsapp_controller.rb

@@ -7,11 +7,15 @@ class MultiTenantWhatsappController < ApplicationController
   def webhook
     # Determine tenant from subdomain, path, or other logic
     tenant = determine_tenant(request)
-    
+
     # Get tenant-specific WhatsApp configuration
     whatsapp_config = get_whatsapp_config_for_tenant(tenant)
-    
-    processor = FlowChat::Whatsapp::Processor.new(self) do |config|
+
+    # Enable simulator for local endpoint testing during development
+    # This allows testing different tenant endpoints via the simulator interface
+    enable_simulator = Rails.env.development? || Rails.env.staging?
+
+    processor = FlowChat::Whatsapp::Processor.new(self, enable_simulator: enable_simulator) do |config|
       config.use_gateway FlowChat::Whatsapp::Gateway::CloudApi, whatsapp_config
       config.use_session_store FlowChat::Session::CacheSessionStore
     end
@@ -26,41 +30,41 @@ class MultiTenantWhatsappController < ApplicationController
   def determine_tenant(request)
     # Option 1: From subdomain
     return request.subdomain if request.subdomain.present?
-    
+
     # Option 2: From path
     tenant_from_path = request.path.match(%r{^/whatsapp/(\w+)/})&.captures&.first
     return tenant_from_path if tenant_from_path
-    
+
     # Option 3: From custom header
-    return request.headers['X-Tenant-ID'] if request.headers['X-Tenant-ID']
-    
+    return request.headers["X-Tenant-ID"] if request.headers["X-Tenant-ID"]
+
     # Fallback to default
-    'default'
+    "default"
   end
 
   def get_whatsapp_config_for_tenant(tenant)
     case tenant
-    when 'acme_corp'
+    when "acme_corp"
       FlowChat::Whatsapp::Configuration.new.tap do |config|
-        config.access_token = ENV['ACME_WHATSAPP_ACCESS_TOKEN']
-        config.phone_number_id = ENV['ACME_WHATSAPP_PHONE_NUMBER_ID']
-        config.verify_token = ENV['ACME_WHATSAPP_VERIFY_TOKEN']
-        config.app_id = ENV['ACME_WHATSAPP_APP_ID']
-        config.app_secret = ENV['ACME_WHATSAPP_APP_SECRET']
-        config.business_account_id = ENV['ACME_WHATSAPP_BUSINESS_ACCOUNT_ID']
+        config.access_token = ENV["ACME_WHATSAPP_ACCESS_TOKEN"]
+        config.phone_number_id = ENV["ACME_WHATSAPP_PHONE_NUMBER_ID"]
+        config.verify_token = ENV["ACME_WHATSAPP_VERIFY_TOKEN"]
+        config.app_id = ENV["ACME_WHATSAPP_APP_ID"]
+        config.app_secret = ENV["ACME_WHATSAPP_APP_SECRET"]
+        config.business_account_id = ENV["ACME_WHATSAPP_BUSINESS_ACCOUNT_ID"]
       end
-    
-    when 'tech_startup'
+
+    when "tech_startup"
       FlowChat::Whatsapp::Configuration.new.tap do |config|
-        config.access_token = ENV['TECHSTARTUP_WHATSAPP_ACCESS_TOKEN']
-        config.phone_number_id = ENV['TECHSTARTUP_WHATSAPP_PHONE_NUMBER_ID']
-        config.verify_token = ENV['TECHSTARTUP_WHATSAPP_VERIFY_TOKEN']
-        config.app_id = ENV['TECHSTARTUP_WHATSAPP_APP_ID']
-        config.app_secret = ENV['TECHSTARTUP_WHATSAPP_APP_SECRET']
-        config.business_account_id = ENV['TECHSTARTUP_WHATSAPP_BUSINESS_ACCOUNT_ID']
+        config.access_token = ENV["TECHSTARTUP_WHATSAPP_ACCESS_TOKEN"]
+        config.phone_number_id = ENV["TECHSTARTUP_WHATSAPP_PHONE_NUMBER_ID"]
+        config.verify_token = ENV["TECHSTARTUP_WHATSAPP_VERIFY_TOKEN"]
+        config.app_id = ENV["TECHSTARTUP_WHATSAPP_APP_ID"]
+        config.app_secret = ENV["TECHSTARTUP_WHATSAPP_APP_SECRET"]
+        config.business_account_id = ENV["TECHSTARTUP_WHATSAPP_BUSINESS_ACCOUNT_ID"]
       end
-      
-    when 'retail_store'
+
+    when "retail_store"
       # Load from database
       tenant_config = WhatsappConfiguration.find_by(tenant: tenant)
       FlowChat::Whatsapp::Configuration.new.tap do |config|
@@ -71,7 +75,7 @@ class MultiTenantWhatsappController < ApplicationController
         config.app_secret = tenant_config.app_secret
         config.business_account_id = tenant_config.business_account_id
       end
-      
+
     else
       # Use default/global configuration
       FlowChat::Whatsapp::Configuration.from_credentials
@@ -80,11 +84,11 @@ class MultiTenantWhatsappController < ApplicationController
 
   def get_flow_for_tenant(tenant)
     case tenant
-    when 'acme_corp'
+    when "acme_corp"
       AcmeCorpFlow
-    when 'tech_startup'
+    when "tech_startup"
       TechStartupFlow
-    when 'retail_store'
+    when "retail_store"
       RetailStoreFlow
     else
       WelcomeFlow  # Default flow
@@ -99,7 +103,7 @@ class DatabaseWhatsappController < ApplicationController
   def webhook
     # Get account from business phone number or other identifier
     business_account = find_business_account(params)
-    
+
     if business_account.nil?
       return head :not_found
     end
@@ -129,7 +133,7 @@ class DatabaseWhatsappController < ApplicationController
     # 1. Phone number ID from webhook
     # 2. Business account ID from webhook
     # 3. Custom routing parameter
-    
+
     # Example: Find by phone number ID in webhook
     phone_number_id = extract_phone_number_id_from_webhook(params)
     BusinessAccount.find_by(whatsapp_phone_number_id: phone_number_id)
@@ -149,11 +153,11 @@ class EnvironmentWhatsappController < ApplicationController
   def webhook
     # Different configurations for different environments
     whatsapp_config = case Rails.env
-    when 'production'
+    when "production"
       production_whatsapp_config
-    when 'staging'
+    when "staging"
       staging_whatsapp_config
-    when 'development'
+    when "development"
       development_whatsapp_config
     else
       FlowChat::Whatsapp::Configuration.from_credentials
@@ -171,34 +175,34 @@ class EnvironmentWhatsappController < ApplicationController
 
   def production_whatsapp_config
     FlowChat::Whatsapp::Configuration.new.tap do |config|
-      config.access_token = ENV['PROD_WHATSAPP_ACCESS_TOKEN']
-      config.phone_number_id = ENV['PROD_WHATSAPP_PHONE_NUMBER_ID']
-      config.verify_token = ENV['PROD_WHATSAPP_VERIFY_TOKEN']
-      config.app_id = ENV['PROD_WHATSAPP_APP_ID']
-      config.app_secret = ENV['PROD_WHATSAPP_APP_SECRET']
-      config.business_account_id = ENV['PROD_WHATSAPP_BUSINESS_ACCOUNT_ID']
+      config.access_token = ENV["PROD_WHATSAPP_ACCESS_TOKEN"]
+      config.phone_number_id = ENV["PROD_WHATSAPP_PHONE_NUMBER_ID"]
+      config.verify_token = ENV["PROD_WHATSAPP_VERIFY_TOKEN"]
+      config.app_id = ENV["PROD_WHATSAPP_APP_ID"]
+      config.app_secret = ENV["PROD_WHATSAPP_APP_SECRET"]
+      config.business_account_id = ENV["PROD_WHATSAPP_BUSINESS_ACCOUNT_ID"]
     end
   end
 
   def staging_whatsapp_config
     FlowChat::Whatsapp::Configuration.new.tap do |config|
-      config.access_token = ENV['STAGING_WHATSAPP_ACCESS_TOKEN']
-      config.phone_number_id = ENV['STAGING_WHATSAPP_PHONE_NUMBER_ID']
-      config.verify_token = ENV['STAGING_WHATSAPP_VERIFY_TOKEN']
-      config.app_id = ENV['STAGING_WHATSAPP_APP_ID']
-      config.app_secret = ENV['STAGING_WHATSAPP_APP_SECRET']
-      config.business_account_id = ENV['STAGING_WHATSAPP_BUSINESS_ACCOUNT_ID']
+      config.access_token = ENV["STAGING_WHATSAPP_ACCESS_TOKEN"]
+      config.phone_number_id = ENV["STAGING_WHATSAPP_PHONE_NUMBER_ID"]
+      config.verify_token = ENV["STAGING_WHATSAPP_VERIFY_TOKEN"]
+      config.app_id = ENV["STAGING_WHATSAPP_APP_ID"]
+      config.app_secret = ENV["STAGING_WHATSAPP_APP_SECRET"]
+      config.business_account_id = ENV["STAGING_WHATSAPP_BUSINESS_ACCOUNT_ID"]
     end
   end
 
   def development_whatsapp_config
     FlowChat::Whatsapp::Configuration.new.tap do |config|
-      config.access_token = ENV['DEV_WHATSAPP_ACCESS_TOKEN']
-      config.phone_number_id = ENV['DEV_WHATSAPP_PHONE_NUMBER_ID']
-      config.verify_token = ENV['DEV_WHATSAPP_VERIFY_TOKEN']
-      config.app_id = ENV['DEV_WHATSAPP_APP_ID']
-      config.app_secret = ENV['DEV_WHATSAPP_APP_SECRET']
-      config.business_account_id = ENV['DEV_WHATSAPP_BUSINESS_ACCOUNT_ID']
+      config.access_token = ENV["DEV_WHATSAPP_ACCESS_TOKEN"]
+      config.phone_number_id = ENV["DEV_WHATSAPP_PHONE_NUMBER_ID"]
+      config.verify_token = ENV["DEV_WHATSAPP_VERIFY_TOKEN"]
+      config.app_id = ENV["DEV_WHATSAPP_APP_ID"]
+      config.app_secret = ENV["DEV_WHATSAPP_APP_SECRET"]
+      config.business_account_id = ENV["DEV_WHATSAPP_BUSINESS_ACCOUNT_ID"]
     end
   end
 end
@@ -232,13 +236,13 @@ end
 #   constraints subdomain: /\w+/ do
 #     post '/whatsapp/webhook', to: 'multi_tenant_whatsapp#webhook'
 #   end
-#   
-#   # Path-based routing  
+#
+#   # Path-based routing
 #   post '/whatsapp/:tenant/webhook', to: 'multi_tenant_whatsapp#webhook'
-#   
+#
 #   # Environment-specific
 #   post '/whatsapp/env/webhook', to: 'environment_whatsapp#webhook'
-#   
+#
 #   # Custom endpoint
 #   post '/whatsapp/custom/webhook', to: 'custom_whatsapp#webhook'
-# end 
+# end