Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add ability to "sign" payloads on event triggers
See original GitHub issueI was looking at using this Laravel package which allows a Laravel application to receive signed payloads. The default signature validator will check that the entire payload is checked using this line:
$computedSignature = hash_hmac('sha256', $request->getContent(), $signingSecret);
We can implement our own custom validator, that just checks for a required header but it would be great to add the ability to sign a payload to ensure its not tampered with!
Issue Analytics
- State:
- Created 4 years ago
- Reactions:5
- Comments:5 (1 by maintainers)
Top Results From Across the Web
How to add additional custom field in streaming event payload?
We have enabled streaming events and are able to publish event streams to consumers. We would like to also include a custom field...
Read more >Event triggers - Slack API
To create an event trigger with the CLI, you'll need to create a trigger file. The trigger file contains the payload you used...
Read more >Event payloads | Bitbucket Cloud - Atlassian Support
For Bitbucket to send event payload requests for a webhook with HTTPS ... The event key of the event that triggers the webhook...
Read more >Not able to get the payload in Event Mesh trigger events
Hello, We have set up the SAP Add-On Event enablement and set up the DB View and for the data extraction we are...
Read more >Create custom event triggers in Azure Data Factory
If a key referenced in parameterization is missing in the custom event payload, trigger run will fail. You'll get an error that states...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@napalm272 when setting up an event trigger, you can set headers by environment variables.
We usually have a key per environment that we rotate on a regular basis. The application that receives the event trigger will reject if the headers and keys don’t match. It is really up to you on how you want to implement event triggers.
This feature request is asking to hash the entire event trigger payload. Given the example payload here, if we were to use an online tool to sign the example payload. The signed hash would look like this:
5dc275454c1622a5a89362833e5f132e38e8ca1c08e2d696c7a464e5f8531ceeThe receiving webhook would verify that string against the key it has, so if it was tampered with, the app could ignore the request.
This is the same approach that JWT takes and makes a lot of sense in a distributed world of applications. Hope that clarifies it a little!
Any progress? This feature request shall be prioritized as it’s security-related