Learn more about these different git repos.
Other Git URLs
Today to validate a webhook payload a system needs to know the project's private token. The connector endpoint (that allow to read the webhook token) has been added recently but it requires the modify project ACL right and being a project admin. So a third party application will need admin access in order to read the token then validate and handle the payload.
Obviously, the token could be shared manually with the third party app operator, but if the application manages multiple projects then it is problematic.
So my idea is to create a new endpoint to read the webhook token for a given project but make it accessible to a project collaborator starting with the ticket access level. As a project admin, to interact with a third party application, he will need to add third party app user as collaborator and set the webhook server url.
For instance on Github and Gitlab, the token is free form and one can be specified by webhook url. In the third party application configuration it is then possible to stick to an unique token, then tell project owners to use that given token. It seems this kind of integration is a bit flawed as someone that know that unique token could forge events for other projects. (Regarding a zuul third party app, projects to handle are defined in the zuul configuration so potential issues are mitigated).
On github, applications can be defined. So a third party application could interact with github repositories through the github application. When a github application is created the application owner get a webhook_token an app_id and an app_key. These token, id and key will be used by the third party application to interact with repositories/organisations that have added the github application. So here we see that if a project/organisation owner authorize a github app in its project/organisation then the third party application can easily validate the hook payload via the webhook_token.
What do you think ? how could we manage to let third party applications deal more easily with payload validation ?
Metadata Update from @jlanda: - Issue tagged with: RFE
Here is a proposal patch https://pagure.io/pagure/pull-request/4698
This was fixed several months ago with the merge of https://pagure.io/pagure/pull-request/4698
Metadata Update from @ngompa: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.