traduttore icon indicating copy to clipboard operation
traduttore copied to clipboard

Published 20 hours ago • verified publisher icon wearerequired

Protect route for incoming Bitbucket webhooks

Open swissspidy opened this issue 5 years ago • 2 comments

Issue Overview

In #70 we discussed how we can better protected the incoming webhook route for Bitbucket requests.

Bitbucket.org doesn't support secrets, so it's not really possible to verify these requests.

Right now we simply let all requests pass, which is not ideal.

What we could do:

  • Check request headers to verify that the requests come from Bitbucket
    Error prone, doesn't help that much.
  • Disallow these incoming webhooks by default and have users filter the responses to make them work.
    Poor UX because they don't work out of the box.

Additional context #70

swissspidy avatar Oct 31 '18 09:10 swissspidy

Could we adapt API Endpoint to include the secret in the URL?

So instead of https://<url-to-your-glotpress-site>.com/wp-json/traduttore/v1/incoming-webhook have https://<url-to-your-glotpress-site>.com/wp-json/traduttore/v1/incoming-webhook/secret

grappler avatar Nov 08 '18 13:11 grappler

Hmm... Something like that is certainly doable, but I don't particularly like it. Especially since I would not want to support this for non-Bitbucket-requests

swissspidy avatar Nov 08 '18 14:11 swissspidy