Skip to content

Only accept string payloads for webhooks.verify() and webhooks.verifyAndReceive() #589

New issue
New issue
Closed
#792
#790
Closed
Only accept string payloads for webhooks.verify() and webhooks.verifyAndReceive()#589
#792
#790
Labels
Type: Breaking changeUsed to note any change that requires a major version bumpType: FeatureNew feature or requestreleasedreleased on @beta
@gr2m

Description

@gr2m
gr2m
opened on Jun 17, 2021

What’s missing?

We have recurring problems with some event payloads where the code returns a "signature does not match" error, mostly reported by Probot users who are probably the biggest share of users of @octokit/webhooks.

I think we should stop making assumptions about how a JSON payload is stringified by GitHub and only accept the raw request string, as all other webhooks SDKs do that I know of, e.g. stripe

I'd consider passing the raw request body string as a best practice today, and we enforce best practices in the @octokit modules.

The challenge that this will bring is that the raw request body is not always easily accessible by server frameworks or serverless environments, so we should document how to do it with e.g. express, AWS Lambda, Vercel, Begin, Azure Functions, Google Cloud Functions, Cloudflare Workers, and invite users to add examples for other platforms.

Alternatives you tried

n/a

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type: Breaking changeUsed to note any change that requires a major version bumpType: FeatureNew feature or requestreleasedreleased on @beta

    Type

    No type

    Projects

    🧰 Octokit Active

    Status

    ✅ Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions