[FEAT]: Facilitate webhook secret rotation #770
Comments
nwf-msr
added
Status: Triage
|
I think your use case is valid, we could support setting the But I would not permit it to be mutable. That would be a different feature, and if we were to decide to support it, I'd make it explicit with a callback function instead of a mutable array. |
|
Oh, yes, sorry, I hadn't meant to suggest a dynamic list of secrets. While I can see it being useful... selfishly, my use case has the WebHook listeners as single-shot Azure Function Apps, so it should suffice to change the secrets registered with those to ensure that all subsequent calls are checked against updated values. |
|
there is now a |
|
Yes, sorry; that was always supposed to be the next step after octokit/webhooks-methods.js#134 landed, but I have been transferred internally and my prior projects are being held on minimal life support. |
|
no worries at all, I just wanted to add the context so folks know about it |
wolfy1339
added
the
Status: Up for grabs
Describe the need
The current
verifyAndReceivefunction assumes that there is exactly one secret in use at any time:webhooks.js/src/verify-and-receive.ts
Lines 10 to 11 in d6286fa
which frustrates secret rotation, which can be a requirement in organizational settings. In particular, the current design essentially forces either programmer suffering (maintaining multiple webhook objects) or a window in which the sender and receiver will disagree about the (singular) secret value.
It would be ideal if, instead,
verifyAndReceiveaccepted a list of secrets and attempted verification against each one. Then key rotation is straightforward:SDK Version
No response
API Version
No response
Relevant log output
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: