If create a dynamic webhook from REST API:
https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-webhooks/#api-rest-api-2-webhook-post
I can set a random secret like:
https://developer.atlassian.com/cloud/jira/platform/webhooks/#registering-a-webhook-using-the-jira-rest-api--other-integrations-
Then the secret will be saved on Atlassian server.
Every time I send event and trigger the webhook, it will post data to my web app. In order to check if it's the identity which I allow, I have to compare the post header and the secret code I set before.
But I can find x-hub-signature header only from incoming data. And each time it changed to a different one.
So how can I handle it correctly?
Here is the example code:
function handleWebhook(req, res) {
// Retrieve the secret code from the request headers
const receivedSecret = req.headers['x-hub-signature'];
// Verify the secret code
if (receivedSecret === process.env.JIRA_WEBHOOK_SECRET) {
// Secret code is valid, proceed with handling the webhook payload
console.log('Received webhook payload:', req.body);
// Respond with a 200 OK status to acknowledge receipt of the webhook
res.sendStatus(200);
} else {
// Secret code doesn't match, reject the request
console.error('Invalid secret code');
res.sendStatus(403); // Forbidden
}
}
