dotCore-off
commented
1 year ago Request headers seems to work fine, however prevents Ping webhook from reaching the relay. Must be fixed as it shows that webhook failed.
Open dotCore-off opened 1 year ago
dotCore-off
commented
1 year ago Request headers seems to work fine, however prevents Ping webhook from reaching the relay. Must be fixed as it shows that webhook failed.
JustPlayerDE
commented
1 year ago Wouldn't it make more sense to verify/secure the webhook with the X-Hub-Signature-256 header instead of just checking if they are defined?
More here: https://docs.github.com/de/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers
php already has a nice hmac function that could be used:
hash_hmac('sha256', <the webhook body>, <the defined secret>);
and file_get_contents('php://input') should be able to get the request body in raw (if i have time i will create an PR to add this)
Edit: Should be added with #3
To prevent kids from accessing someone's relay site & spamming Discord server through webhooks, we must implement some sort of verification by securing GitHub webhooks in two ways:
(implemented, must test)