Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

github service hook and basic authentication

I'm trying to figure out how to secure a webhook reciever for a github service hook.

In the github manual pages, when you look in the section on what IP addresses github hooks will come from, it has this warning:

"We highly recommend that you don't white list IPs for Service Hooks. Instead, setup HTTPS and basic authentication to verify incoming requests."

  • https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist#service-hook-ip-addresses

In the documentation on post receive hooks I don't see any way to set up basic authentication.

How can I use basic authentication with github post-recieve/service/web hook that notifies me of a commit to a repository?

like image 955
Brian Tingle Avatar asked Aug 20 '13 03:08

Brian Tingle


People also ask

Does webhook require authentication?

Webhooks support two types of authentication: basic and bearer token. Both types of authentication should only be used over HTTPS (TLS). Although not recommended, it's also possible to create a webhook without authentication. To do this, omit the authentication property from the request.

How does GitHub webhook work?

Webhooks allow you to build or set up integrations, such as GitHub Apps or OAuth Apps, which subscribe to certain events on GitHub.com. When one of those events is triggered, we'll send a HTTP POST payload to the webhook's configured URL.

Is a webhook URL a secret?

The unique webhook URL is secret. The webhook only accepts data, and thus alone cannot expose sensitive data to third parties.


1 Answers

I think you can just use

https://yourUser:[email protected]/path

like in any basic auth situation.

I will give it a try tomorrow, too :) https://github.com/blog/237-basic-auth-post-receives

like image 83
Ax3l Avatar answered Oct 22 '22 05:10

Ax3l