Abuse Protection for webhooks #491
Conversation
|
looks like you pulled in the changes to the website 😄 |
|
I bet I just have to rebase |
n3wscott
force-pushed
the
abuse-protection
branch
3 times, most recently
from
cb32692
to
b3a2bcf
Compare
| AutoACKCallback: true, | ||
| AllowedOrigins: []string{"http://localhost:8181"}, | ||
| } | ||
| p.OptionsHandlerFn = p.OptionsHandler |
There was a problem hiding this comment.
yeah a future PR can add this to the default client to respond to OPTIONS
There was a problem hiding this comment.
I think it should be opt-in, because you need to know the rate limit and such
There was a problem hiding this comment.
plus the default allowed origin would have to be "*" which seems like a bad default
There was a problem hiding this comment.
Do you think it should be an opt-in or an opt-out feature? I don't think this interfere with the average usage of sdk-go
There was a problem hiding this comment.
because OPTIONS is optional by the spec, it should be OPT-IN so that integrators have to make choices about rate limits and origin filters up front.
There was a problem hiding this comment.
Okok i feel we should document it and make a "better entrypoint", like an option for the protocol EnableWebHookSupport() or something like that that does this assignment
Signed-off-by: Scott Nichols <snichols@vmware.com>
Signed-off-by: Scott Nichols <snichols@vmware.com>
Signed-off-by: Scott Nichols <snichols@vmware.com>
Signed-off-by: Scott Nichols <snichols@vmware.com>
Signed-off-by: Scott Nichols <snichols@vmware.com>
n3wscott
force-pushed
the
abuse-protection
branch
from
6e7ea65
to
18e0cf8
Compare
Signed-off-by: Scott Nichols <snichols@vmware.com>
n3wscott
changed the title
Signed-off-by: Scott Nichols <snichols@vmware.com>
Signed-off-by: Scott Nichols <snichols@vmware.com>
| } | ||
| // TODO: it is not clear what the rules for allowed hosts are. | ||
| // Need to find docs for this. For now, test for prefix. | ||
| if strings.HasPrefix(ro, ao) { |
There was a problem hiding this comment.
Maybe we could use this https://github.com/rs/cors/blob/master/cors.go or something similar to validate the origins, let's do it in a follow up.
| } | ||
| }, | ||
| }, | ||
| "405 if the receiver is not expecting a GET request": { |
There was a problem hiding this comment.
Maybe in a followup, but we need a test for the use case:
I want to set a receiver that doesn't accept events, accepts method
GET, and the user replies with events
|
Issues added. |
No description provided.