nextcloud-webhooks icon indicating copy to clipboard operation
nextcloud-webhooks copied to clipboard
verified publisher icon kffl

Authenticating requests

Open swelcom opened this issue 3 years ago • 1 comments

Hello kffl

I don't quite understand the "Authenticating requests" function. If I define a webhooks_secret, I should be able to open the POST at the target URL only if I authenticate with my webhooks_secret. But I can receive and read the POST on the target URL without authentication. Maybe I understand something wrong?

Thanks for your help.

Greetings swelcom

swelcom avatar Oct 31 '22 10:10 swelcom

(I am not the maintainer)

If I define a webhooks_secret, I should be able to open the POST at the target URL only if I authenticate with my webhooks_secret.

No, the other way around. The secret is used to authenticate the message/request. Thus, it can be used by the server at the URL to make sure the request is really from a specific nextcloud. It is in the target server's interest to verify this (or rely on an unguessable URL) to make sure no one else can send requests.

Simplified, the webook plugin uses the secret to authenticate ("log in") at the URL.

stefan2904 avatar Mar 24 '23 20:03 stefan2904