Issue 1: There doesn't seem to send X-HubSpot-Signature on Iframe GETs. There appears to be no sha256 hash checking on these requests (couldn't see one when logging header outputs). Guessing I will need to create some kind of request token on my end?
Issue 2: What's the best way to identify users? Simply add a token to the Iframe URL?
Thanks for your patience here; I'll try to address your issues separately to avoid and confusion:
The extension iframe is a pure iframe, and you should treat it in the same way that you'd treat a request coming from a web browser with regard to authentication. If a user needs to be logged in to view the contents of the iframe, they should go through your app's login flow when viewing via the iframe
While I can't say for sure what would be best for your specific app, adding a token to the webhook URL is a secure way to identify your users and would likely be a good course of action.
Every time the CRM Extension is loaded we generate a token and store it in our DB with our internal user id and then append the token only to the iFrame URL
When an iFrame call is made we check the token and the portal ID. If it matches the user ID stored against it we log them in/set the session.
All tokens expire after 30 min and tells the Hubspot user to refresh their browser