feat: add secret parameter to the webhooks

See #11
thathoff · Feb 19, 2021 · e794ba1 · e794ba1
1 parent 33f88d2
commit e794ba1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -75,10 +75,12 @@ return [
 - `push` (Boolean): Push your changes to remote? (default: `false`)
 - `commitMessageTemplate` (String): Configure the template for the commit message (default: `:action:(:item:): :url:`)
 - `cronHooksEnabled` (Boolean): Whether `/git-content/push` and `/git-content/pull` endpoints are enabled or not. (default: `true`)
+- `cronHooksSecret` (String): When set, this secret must be sent with the cronHooks as a get parameter.  Note: If you set
+  a secret, only the GET method will work on the webhooks.   `/git-content/(pull|push)?secret=S0up3rS3c3t`
 - `displayErrors` (Boolean): Display git errors when saving pages (default: `false`)
 - `gitBin` (String): Path to the `git` binary, [See Git.php](http://kbjr.github.io/Git.php/) `Git::set_bin(string $path)`
 - `windowsMode` (Boolean): [See Git.php](http://kbjr.github.io/Git.php/) `Git::windows_mode()` (default: `false`)
-- `disable` (Boolean): If set to `true`, the plugin won't initialize. (default: `false`) 
+- `disable` (Boolean): If set to `true`, the plugin won't initialize. (default: `false`)
 
 #### Custom Commit Message
 

diff --git a/index.php b/index.php
@@ -17,6 +17,7 @@
             'push'             => null,
             'commit'           => null,
             'cronHooksEnabled' => null,
+            'cronHooksSecret'  => null,
             'commitMessage'    => ':action:(:item:): :url:',
             'windowsMode'      => null,
             'gitBin'           => null,

diff --git a/src/KirbyGit.php b/src/KirbyGit.php
@@ -24,6 +24,17 @@ public function getRoutes()
         $route['pattern'] = 'git-content/(:any)';
         $route['method'] = 'GET|POST';
         $route['action'] = function($gitCommand) use ($gitHelper) {
+            // check to see if a secret is set, and if it is, verify it
+            $secret = option('thathoff.git-content.cronHooksSecret', '');
+            if ($secret !== '') {
+                $passedSecret = kirby()->request()->get('secret', '');
+                if ($passedSecret !== $secret) {
+                    return [
+                        'status' => 'forbidden',
+                        'message' => 'Invalid secret passed',
+                    ];
+                }
+            }
             switch ($gitCommand) {
                 case "push":
                     try {