go-scm icon indicating copy to clipboard operation
go-scm copied to clipboard

Published 20 hours ago verified publisher icon drone

gitea push hook secret comes from the payload not a form

Open jstrachan opened this issue 5 years ago • 4 comments

just tried gitea's push webhook handling and it looks like the secret comes in via the json payload rather than via a form.

PR on its way...

jstrachan avatar Jul 04 '19 07:07 jstrachan

The secret was deprecated in favor of using the hmac signature in the header to verify authenticity. One of the gitea maintainers recently submitted a pull request to support hmac verification, with a fallback to reading the secret. See https://github.com/drone/go-scm/pull/24.

bradrydzewski avatar Jul 07 '19 21:07 bradrydzewski

Can we close this issue?

tboerger avatar Jul 15 '20 19:07 tboerger

I think this remains an open issue. The secret should come from the payload, but the current implementation gets the value from a URL query parameter (via req.FormValue) which is Drone-specific. I think this may also require an update to the Gitea webhook creation code.

ashwilliams1 avatar Jul 15 '20 19:07 ashwilliams1

But the secret had been deprecated in favor of the hmac signature?

tboerger avatar Jul 15 '20 23:07 tboerger