Fixes an issue which allowed webhooks to be processed with an incorrect webhook secret.
This adds a case to return a 401 when the verify function returns false. The verify function also always returns false as it is being passed in JSON from a WorkflowJob webhook object instead of the request body (which is how GitHub generates it's signitures) meaning the signatures will never match (see https://github.com/yanyongyu/githubkit?tab=readme-ov-file#webhook-verification).
I am not familiar with FastAPI at all so if there is a better way of getting the request body without having to add async that you know of I am happy to change it :)
Fixes an issue which allowed webhooks to be processed with an incorrect webhook secret.
This adds a case to return a
401
when theverify
function returns false. Theverify
function also always returns false as it is being passed in JSON from aWorkflowJob
webhook object instead of the request body (which is how GitHub generates it's signitures) meaning the signatures will never match (see https://github.com/yanyongyu/githubkit?tab=readme-ov-file#webhook-verification).