Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authenticated channels

See original GitHub issue

Even though channel names are random, it seems a little sketchy to broadcast events to any client that can guess a URL. It’d be great to have authenticated channels that prevent random clients from eavesdropping.

Here are a couple options for how it could work:

Pass the webhook secret in the Authorization header when the client connects. Before webhooks are delivered to a client, use the secret provided by the client to verify the signature. If it doesn’t validate, avoid delivering the event (and maybe even reject the client with a 401).
Add OAuth to smee.io and generate a secret for each user. The user can create channels as smee.io/:username/anything-you-want, but any channel starting with /:username/ must include the user’s token in the Authorization header.

Either way, the client would have to pass a secret, it’s just a question of whether that is the webhook secret configured on GitHub, or a secret from smee.io

new EventSource("https://smee.io/my-channel-name", {
  headers: {"Authorization": "my-secret"}
});

cc https://github.com/bkeepers/webhook-proxy/issues/3

Issue Analytics

State:
Created 6 years ago
Reactions:9
Comments:15 (10 by maintainers)

Top GitHub Comments

1reaction

tcbyrdcommented, Dec 1, 2022

Authentication is not likely going to be added to smee.io. Another team is working on a native integration using the gh command line, which will likely be the best way forward for people who need this feature: https://github.blog/changelog/2022-11-16-webhook-forwarding-in-the-github-cli-public-beta/

Once that feature is out of beta, we may end up shutting down smee.io entirely since it’s effectively the same functionality with a better integration.

cc @gr2m in case you have any other thoughts, but I’m going to close this issue for now.

0reactions

dhirschfeldcommented, Nov 30, 2022

Are there any plans to add this functionality? Unfortunately, I won’t be able to make use of this service without it 😦

Top Results From Across the Web

Secure channel - Wikipedia

An authentic channel is a means of data transmission that is resistant to tampering but not necessarily resistant to overhearing. In contrast to...

Authentication — Channels 4.0.0 documentation

The AuthMiddleware in Channels supports standard Django authentication, where the user details are stored in the session. It allows read-only access to a...

Establishing Authenticated Channels and Secure Identifiers in ...

In this work, we describe a method for establishing au- thenticated channels in a wireless ad-hoc network. The presented protocol is fully self-organized, ......

Authenticated Protected Channel | The IT Law Wiki - Fandom

An authenticated protected channel is [a]n encrypted communication channel that uses approved cryptography where the connection initiator (client) has ...

Authenticated Channels - Bitfinex API

To learn more, look to the Account Info channel page. Authenticating your Connection. Request parameters. Below are the parameters that are used to...