search

mattermost-community / mattermost-plugin-bitbucket

Mattermost plugin for Bitbucket
Apache License 2.0
6 stars 16 forks source link

[GH-24] Use secret when processing webhook call #39

Closed sibasankarnayak closed 2 years ago

sibasankarnayak commented 2 years ago

added a token which is the webhook secret which gets generated while configuring the bitbucket plugin and cross checked when ever any call happens to webhook

ticket here https://github.com/mattermost/mattermost-plugin-bitbucket/issues/24

jfrerich commented 2 years ago

@mickmister to generate the webhook secret, what do you think about using the methodology used in Jira?

FYI, @sibasankar-demansol. The Jira plugin adds the following to plugings.json which adds a webhook secret generation field.

https://github.com/mattermost/mattermost-plugin-jira/blob/master/plugin.json#L31-L36

image

I also think we should add documentation to the README for this process.

sibasankarnayak commented 2 years ago

@jfrerich now we do use the webhook secret from plugin console to validate the token via callback url from web hook

Can you let me know how can i add those to documentation

jfrerich commented 2 years ago

@sibasankar-demansol, I'm sorry. I was looking at a completely different plugin code base when I tried failed to see the webhook secret in the plugin console.

jfrerich commented 2 years ago

The documentation for this configuration will be located here https://github.com/mattermost/mattermost-plugin-bitbucket/blob/master/docs/admin-guide/configuration.md

jfrerich commented 2 years ago

I think the following change to configuration.md would suffice.

  1. Set the following values:
    • Title: Mattermost Bitbucket Webhook - <repository_name>, replacing repository_name with the name of your repository.
    • URL: https://your-mattermost-url.com/plugins/bitbucket/webhook/your-webhook-secret
      • replace https://your-mattermost-url.com with your Mattermost deployment's Site URL.
      • replace your-webhook-secret with the secret generated in System Console > Plugins > Bitbucket > Webhook Secret
sibasankarnayak commented 2 years ago

I think the following change to configuration.md would suffice.

  1. Set the following values:

    • Title: Mattermost Bitbucket Webhook - <repository_name>, replacing repository_name with the name of your repository.

    • URL: https://your-mattermost-url.com/plugins/bitbucket/webhook/your-webhook-secret

      • replace https://your-mattermost-url.com with your Mattermost deployment's Site URL.
      • replace your-webhook-secret with the secret generated in System Console > Plugins > Bitbucket > Webhook Secret

@jfrerich Added into documentation

sibasankarnayak commented 2 years ago

Is there a way to not pass the secret as part of the URL i.e. via a query parameter?

in bitbucket i didn't find any way to configure the webhooksecret via request headers , seems we can pass it through URL itself

mickmister commented 2 years ago

Deferring testing to next release testing cc @DHaussermann