Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

400 Bad Request – due to missing `x-hub-signature` header

See original GitHub issue

Bug Report

Current Behavior

I created a probot app following the instructions(*), but when I run it and try to receive a webhook probot fails and prints something along these lines:

INFO http: POST / 400 - 1.97 ms (id=12099dd3-a6d4-4fb6-96d2-42efcef3a65f)
ERROR probot: Bad Request

I was able to trace the cause into the octokit/webhooks package where the request is ignored due to missing headers:

  const missingHeaders = getMissingHeaders(request).join(', ')
  if (missingHeaders) {
    debug(`ignored: ${request.method} ${request.url} due to missing headers: ${missingHeaders}`)

    response.statusCode = 400
    response.end(`Required headers missing: ${missingHeaders}`)
    return
  }

The header that is missing is x-hub-signature. This header is only included in the request when the “Webhook secret” is provided, which is optional during GitHub App setup.

I know the documentation tells you to set the webhook secret to development, but that’s so easy to overlook (hence the (*) when I mentioned that I followed the instructions). The failure mode is rather non-descriptive (a generic 400 Bad Request), and nothing of help shows up in the log (even on trace level). The original message from octokit/webhooks (“Required headers missing: …”) somehow goes missing itself, too.

Environment

  • Probot version(s): 7
  • Node/npm version: 10 / ?
  • OS: latest macOS

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:9 (7 by maintainers)

github_iconTop GitHub Comments

2reactions
hiimbexcommented, Jul 13, 2018

Ah okay!! So I was able to reproduce this issue with the silencing of errors locally!

Steps to reproduce:

  1. Do not set a webhook secret in GitHub.
  2. Try to receive a webhook.
> my-first-probot-app@1.0.0 start /Users/hiimbex/Desktop/my-first-probot-app
> probot run ./index.js

23:55:56.357Z  INFO probot: Forwarding https://smee.io/weee to http://localhost:3000/
23:55:56.361Z  INFO probot: Listening on http://localhost:3000
23:55:56.693Z  INFO probot: Connected https://smee.io/weee
23:55:59.581Z  INFO http: POST / 400 - 1.48 ms (id=$ID)
23:55:59.585Z ERROR probot: Bad Request
  Error: Bad Request
      at Request.callback (/Users/hiimbex/Desktop/my-first-probot-app/node_modules/superagent/lib/node/index.js:706:15)
      at IncomingMessage.parser (/Users/hiimbex/Desktop/my-first-probot-app/node_modules/superagent/lib/node/index.js:916:18)
      at emitNone (events.js:111:20)
      at IncomingMessage.emit (events.js:208:7)
      at endReadableNT (_stream_readable.js:1064:12)
      at _combinedTickCallback (internal/process/next_tick.js:138:11)
      at process._tickDomainCallback (internal/process/next_tick.js:218:9)

I still was not sure what’s causing the lack of error, but as soon as I debugged it, I stumbled upon https://github.com/octokit/webhooks.js/issues/29 which seems possibly connected. cc/ @gr2m for octokit things & @mwebler from this issue (who also linked that issue in another probot issue about this topic and I totally missed it: sorry and thanks for the debugging/issue writing!!)

I can also confirm https://github.com/probot/smee/issues/63 is a duplicate of this.

As an action for this, I’m going to add a short blurb in our docs that says: ‘Although GitHub does not require a webhook secret, we do. This is for both security and best practices.’ or something similar. Additionally, we should investigate a programmatic solution to surface the true error here, likely via an octokit/webhooks update.

cc/ @bkeepers

1reaction
gr2mcommented, Aug 8, 2018

I’ve merged https://github.com/octokit/webhooks.js/pull/34 which should resolve the problem. It will release a new breaking version as it’s a breaking change, so we’ll need to update Probot’s package.json and do a new release to get the update. I’d say for Probot this could be considered a fix instead of a breaking change

Read more comments on GitHub >

github_iconTop Results From Across the Web

'x-hub-signature' header missing in webhook verify request - API
Everything works fine, though I'm not able to receive an 'x-hub-signature' header in verification request from Twitch.
Read more >
Guide for Troubleshooting GitHub Webhooks - Hookdeck
In our guide, we troubleshoot the following errors: Webhook not found, error 401, and invalid http response 400 specifically for GitHub ...
Read more >
Open Banking Read-Write API Profile - v3.1.2 - GitHub Pages
Request has malformed, missing or non-compliant JSON body, URL parameters or header fields. 400 Bad Request, The requested operation will not be carried...
Read more >
Webhooks API - HubSpot Developers
To ensure that the requests you're getting at your webhook endpoint are actually coming from HubSpot, HubSpot populates a X-HubSpot-Signature header with a...
Read more >
WebHook POST call fails with 400 Bad Request
NativeChat API to a REST endpoint fails with a BAD REQUEST error. ... API Header Content-type "x-www-form-urlencoded" set when executing ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

No mention of what happened to createRobot in 7.0 release notes

Next page

Mock server that mimics the GitHub API and supports webhooks