-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding github webhook secret key option. Fixes #34 #119
Conversation
@@ -301,6 +303,15 @@ func (s *Server) postEvents(w http.ResponseWriter, r *http.Request) { | |||
githubReqID := "X-Github-Delivery=" + r.Header.Get("X-Github-Delivery") | |||
var payload []byte | |||
|
|||
// validate payload if github webhook secret key is set | |||
if s.eventParser.GithubWehbookSecretKey != "" { | |||
_, err := gh.ValidatePayload(r, []byte(s.eventParser.GithubWehbookSecretKey)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this doesn't work if the webhook is set up using x-www-form-urlencoded
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would right? I am checking for secret key before we even determine whether the request is Content-Type
is json
or x-www-form-urlencoded
.
Can we close this in favor of #120? |
Yes sir. 👍 |
Yeah but if you see my pr you see that in the form version it's not the
json string that is used for the signature.
…On Sun, Aug 13, 2017, 11:03 PM Anubhav Mishra ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In server/server.go
<#119 (comment)>:
> @@ -301,6 +303,15 @@ func (s *Server) postEvents(w http.ResponseWriter, r *http.Request) {
githubReqID := "X-Github-Delivery=" + r.Header.Get("X-Github-Delivery")
var payload []byte
+ // validate payload if github webhook secret key is set
+ if s.eventParser.GithubWehbookSecretKey != "" {
+ _, err := gh.ValidatePayload(r, []byte(s.eventParser.GithubWehbookSecretKey))
I think it would right? I am checking for secret key before we even
determine whether the request is Content-Type is json or
x-www-form-urlencoded.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#119 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA_IvQ1EI5JUg_-YLfxDDl8ZGpLUWL3fks5sX-MqgaJpZM4O1zdp>
.
|
Fix Docker images not building.
gh-webhook-secret-key
to supply Github webhook secret key to verify payloads.TODO: