You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a verification_token field to the crawl URL, used with the webhook field. It accepts a nonce string for the server to verify upon receiving webhooks, ensuring they originate from a legitimate source.
Adds HMAC-SHA256 verification on webhooks
If provided with a "secretKey" in the request body, the webhook response will now contain a header, "Webhook-Signature": "sha256=<hash>"
The <hash> being a SHA256 hash with the secretKey on the raw request body string.
Example of verifying the request body with express.js
Make sure to use the body string before it is parsed to JSON (JSON.parse() or equivalent). Ideally in a middleware.
While this solution does mimic the version described in the #813, It can be computationally expensive.
A better solution might just be passing the secret in the response body, instead of hashing it (the secret can be a uuid)
Why? If the secret is leaked, the authentication is broken, so as long as the secret remains safe, that is, the client and server are the only ones who know it, hashing the request body may not be necessary unless
the request body is susceptible to MITM attacks which can lead to the body being changed, but with HTTPS this should be less of a worry (not non-existent however)
Please let me know if I'm missing something.
We're now going with a simple verification_token method
Renaming seems to have broken something, results have become unpredictable, I'll fix this in a moment. @rafaelsideguide Could you pllease test this on your system and let me know if its fine
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a verification_token field to the crawl URL, used with the webhook field. It accepts a nonce string for the server to verify upon receiving webhooks, ensuring they originate from a legitimate source.
Adds HMAC-SHA256 verification on webhooks
If provided with a "secretKey" in the request body, the webhook response will now contain a header,
"Webhook-Signature": "sha256=<hash>"The <hash> being a SHA256 hash with the secretKey on the raw request body string.
Example of verifying the request body with express.jsMake sure to use the body string before it is parsed to JSON (JSON.parse() or equivalent). Ideally in a middleware.
Fixes #813