Verifying requests in my Probot app #1592

oscard0m · 2021-09-16T18:52:35Z

oscard0m
Sep 16, 2021

Hi Probot team!

Working on a GitHub App (using Probot of course 💪🏽 ) as an Express middleware. I would like to know what would be the easiest and best practice to verify requests received by my GitHub App. I know there's probot.webhooks.verify and probot.webhooks.verifyAndReceive but with the file-tree used in the project I'm participating I don't see how to do this:

Click to expand file structure!

// server.ts
import express from "express";
import eventHandler from "./routes/event-handler";

const app = express();
const port = process.env.PORT;

app.use("/event_handler", eventHandler);

app.listen(port, () => {
 console.log(`Server running at http://localhost:${port}`);
});

// routes/event-handler.ts
import express from "express";
import { probotMiddleware } from "../middlewares/probot";

const router = express.Router();

router.use(express.json());

router.use(probotMiddleware);

router.post("/", async (_req, res) => {
  res.status(200).end();
});

export default router;

// middlewares/probot.ts
import { createNodeMiddleware, createProbot } from "probot";
import app from "../vcs/github/github-app";

export const probotMiddleware = createNodeMiddleware(app, {
  probot: createProbot(),
});

// vcs/github/github-app.ts

import { Probot } from "probot";
import { checkSuiteEventHandler } from "./event-handlers/check-suite";

export default (app: Probot) => {
  app.on(
    ["check_suite.requested", "check_suite.rerequested"],
    checkSuiteEventHandler
  );
};

// event-handlers/check-suite.ts
import { Context } from "probot";

export const checkSuiteEventHandler = async (
  context: Context<"check_suite.requested" | "check_suite.rerequested">
) => {
  
  const startTime = new Date();
  const payload = context.payload.check_suite;

  const { head_branch: headBranch, head_sha: headSha } = payload;

  return context.octokit.checks.create(...);
};

In my mind there should be an option verifyRequests: true when creating a Probot instance and use Octokit's verifyAndReceive instead of receive (not sure if what I say has sense in Probot's architecture).

I found issues which are kind of related but I'm not sure if they plan to solve this exactly issue:

Not sure if it's directly related to this issue created by @gr2m: webhooks.verifyAndParse and standalone verifyAndParse method octokit/webhooks.js#379
This AWS Lambda Adapter seems to be solving somehow the issue but still this is a separate package, in my mind there should be a solution provided from Probot.
In this Probot issue seems kind of related and is still open, not sure if this discussion would fit in that issue: Throw helpful error if appId/privateKey/secret credentials are not set #1485