gitea push hook secret comes from the payload not a form #34

jstrachan · 2019-07-04T07:30:29Z

just tried gitea's push webhook handling and it looks like the secret comes in via the json payload rather than via a form.

PR on its way...

bradrydzewski · 2019-07-07T21:45:43Z

The secret was deprecated in favor of using the hmac signature in the header to verify authenticity. One of the gitea maintainers recently submitted a pull request to support hmac verification, with a fallback to reading the secret. See #24.

fix: add support for get PRs to bitbucket cloud

tboerger · 2020-07-15T19:08:30Z

Can we close this issue?

ashwilliams1 · 2020-07-15T19:12:26Z

I think this remains an open issue. The secret should come from the payload, but the current implementation gets the value from a URL query parameter (via req.FormValue) which is Drone-specific. I think this may also require an update to the Gitea webhook creation code.

tboerger · 2020-07-15T23:00:12Z

But the secret had been deprecated in favor of the hmac signature?

jstrachan pushed a commit to jstrachan/go-scm that referenced this issue Oct 7, 2019

Merge pull request drone#34 from jstrachan/stuff

6fc527f

fix: add support for get PRs to bitbucket cloud

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

gitea push hook secret comes from the payload not a form #34

gitea push hook secret comes from the payload not a form #34

jstrachan commented Jul 4, 2019

bradrydzewski commented Jul 7, 2019 •

edited

tboerger commented Jul 15, 2020

ashwilliams1 commented Jul 15, 2020

tboerger commented Jul 15, 2020

gitea push hook secret comes from the payload not a form #34

gitea push hook secret comes from the payload not a form #34

Comments

jstrachan commented Jul 4, 2019

bradrydzewski commented Jul 7, 2019 • edited

tboerger commented Jul 15, 2020

ashwilliams1 commented Jul 15, 2020

tboerger commented Jul 15, 2020

bradrydzewski commented Jul 7, 2019 •

edited