Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Confirming Github webhooks in AWS API Gateway authorizer function

Regarding Github webhooks, "HTTP requests made to your webhook's configured URL endpoint will contain several special headers" including X-Hub-Signature which is the "HMAC hex digest of the payload, using the hook's secret as the key". https://developer.github.com/webhooks/#payloads

When using AWS API Gateway, you'd ideally want to confirm the request came from Github using an authoriser function for the endpoint, by generating the HMAC hex digest of the payload and comparing it to the value in the X-Hub-Signature header. The problem is, the payload doesn't seem to be passed to the authoriser function, so it's impossible to generate the HMAC hex digest of it.

Am I missing something (in relation to getting access to the payload in the authorizer function) or is this a bit of a compatibility issue between Github webhooks and AWS API gateway?

like image 479
James Avatar asked Sep 06 '25 03:09

James


1 Answers

At the moment you cannot access the payload in the authorizer. We would like to explore various solutions for signature verification in general (including without an authorizer), but I don't have an ETA for that.

like image 115
jackko Avatar answered Sep 07 '25 20:09

jackko