No webhook secret #1127
No webhook secret #1127
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here (e.g. What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
|
I signed it! |
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
There was a problem hiding this comment.
Thank you, @jbrockopp!
Just a couple minor tweaks, please, and then we will await a second LGTM before merging.
github/messages.go
Outdated
| return nil, err | ||
| // Only validate the signature if a secret message exists. This is intended for | ||
| // local development only and all webhooks should contain a secret message. | ||
| if secretKey != nil { |
There was a problem hiding this comment.
In Go, it is more idiomatic with slices to check against a length of zero which will work for both nil and a zero-length slice. Checking against nil is discouraged because it doesn't work for a zero-length slice.
So please change this to if len(secretKey) > 0 {.
github/messages_test.go
Outdated
| @@ -110,7 +110,7 @@ func TestValidatePayload_FormGet(t *testing.T) { | |||
|
|
|||
| // check that if payload is invalid we get error | |||
| req.Header.Set(signatureHeader, "invalid signature") | |||
| if _, err = ValidatePayload(req, nil); err == nil { | |||
| if _, err = ValidatePayload(req, []byte{}); err == nil { | |||
There was a problem hiding this comment.
This and line 143 will now need to be changed... since it is checking for an invalid signature, please just go ahead and use something like []byte{0} here and below.
github/messages.go
Outdated
| @@ -130,6 +130,8 @@ func messageMAC(signature string) ([]byte, func() hash.Hash, error) { | |||
| // The Content-Type header of the payload can be "application/json" or "application/x-www-form-urlencoded". | |||
| // If the Content-Type is neither then an error is returned. | |||
| // secretKey is the GitHub Webhook secret message. | |||
| // If your webhook does not contain a secret message, you can pass nil. This | |||
There was a problem hiding this comment.
How about ...pass nil or an empty slice. ?
|
@gmlewis I have made changes per your feedback. Please let me know if anything else is required 👍 |
There was a problem hiding this comment.
Thank you, @jbrockopp!
Awaiting second LGTM before merging.
github/messages.go
Outdated
| @@ -130,6 +130,8 @@ func messageMAC(signature string) ([]byte, func() hash.Hash, error) { | |||
| // The Content-Type header of the payload can be "application/json" or "application/x-www-form-urlencoded". | |||
| // If the Content-Type is neither then an error is returned. | |||
| // secretKey is the GitHub Webhook secret message. | |||
| // If your webhook does not contain a secret message, you can pass nil or an empty slice. | |||
| // This is intended for local development purposes only and all webhooks should contain a secret message. | |||
There was a problem hiding this comment.
minor nit: I believe we should maintain semantic consistency between GitHub documentation and the library's documentation so that the user can easily navigate between both of them with ease. Thus, I request that we update this to read "... all webhooks should ideally set up a secret token."
Thoughts @gmlewis @jbrockopp
There was a problem hiding this comment.
Sounds great! Let's please go ahead and address this change in this PR.
There was a problem hiding this comment.
@kshitij10496 @gmlewis sure I can do that. I was just following the previously used verbiage in the existing code.
// secretKey is the GitHub Webhook secret message.
There was a problem hiding this comment.
I have a minor, non-blocking suggestion about the general documentation which can be addressed in a separate change. So, LGTM on this PR! 👍
Thanks, @jbrockopp! 🎉
|
@kshitij10496 @gmlewis I have made changes per your feedback. Please let me know if anything else is required 👍 |
|
Thank you, @gauntface! |
Verify the payload signature if the request has a signature present in HTTP headers, or if a non-empty secretToken is passed to the ValidatePayload method, indicating that a signature is expected. This modifies the behavior added in #1127, but not the spirit of what was requested in #1126, which is to support webhooks that don't have configured secrets. Specifically, this no longer allows signature checking to be skipped entirely, even for webhooks with a configured secret, simply by passing an empty secretToken to ValidatePayload. Fixes #2731
Verify the payload signature if the request has a signature present in HTTP headers, or if a non-empty secretToken is passed to the ValidatePayload method, indicating that a signature is expected. This modifies the behavior added in #1127, but not the spirit of what was requested in #1126, which is to support webhooks that don't have configured secrets. Specifically, this no longer allows signature checking to be skipped entirely, even for webhooks with a configured secret, simply by passing an empty secretToken to ValidatePayload. Fixes #2731
Fixes #1126