-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does this actually validate webhook signatures #6
Comments
I agree. I added some code to do the validation in my serverless extension:
|
@rthadur yes - but ISTR it took a bit of faffing about. However we subsequently realised that since our app was bridging github to other services the probot approach wasn't that useful for us. When we got a github hook we almost always always need a client to the other services, we only needed a github client when the other services fired their own hooks. And although that was doable by wrapping probot, we weren't really using any of probot's automation and it was just adding an extra layer of complexity over using octokit etc directly. Particularly since we'd have had to add our own webhook validation, etc. So we're no longer using it and I don't think I still have the code I hacked up to experiment with getting the GCF deployment to work. |
@rthadur No, and I was never intending to. I was commenting here since I had the same issue in my serverless extension for Azure Functions: https://github.com/ethomson/probot-serverless-azurefunctions I did deploy my probot to Azure Functions with success (and significant cost savings over my prior environment).
|
This may be me, but it seems like it doesn't validate webhook signatures.
If I configure it with an incorrect webhook secret the requests are still handled as a 200 response. I assume it needs to be passing the X-Hub-Signature, and probably the raw request body, along to probot somewhere?
The text was updated successfully, but these errors were encountered: