I’m confused by this documenation, and believe there may be an error:
The tutorial to create a function and endpoint to handle posts from a GitHub Webhook says to set Require a Secret for authorization. But then it says to enter the secret string in the Secret setting. These are incompatible. The Atlas endpoint is expecting secret=tutorial as a query parameter, but GitHub instead uses the secret string to generate X-Hub-Signature-256 and X-Hub-Signature SHA hashes in the header.
The only other option for endpoint request validation is Verify Payload Signature. But this then expects a SHA256 hash labeled as Endpoint-Signature in the header. This is not what GitHub sends, nor is it one of the authorization options in Postman. A custom client app could generate that header entry, but GitHub does not.
Please correct me if I’m wrong, but it would appear that:
- The tutorial should tell you to append
?secret=tutorialto the URL entered on GitHub, and leave the Secret field on GitHub blank. - The only way to use the Verify Payload Signature endpoint option is to write your own code on the client to generate that hash and add it to the header as
Endpoint-Signature. - Other authentication schemes such as the options in Postman (JWT Bearer, Oauth…) must be done by custom code (e.g.- that I would write) in an Atlas App Services function.
I’m not as sure about the last point since I’m still working through the tutorials.