Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Fix Feishu webhook signature verification#34788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
lunny merged 11 commits intogo-gitea:mainfromSnowballXueQiu:main
Jun 20, 2025

Conversation

@SnowballXueQiu
Copy link
Contributor

Fix Feishu Webhook Signature Verification

This PR implements proper signature verification for Feishu (Lark) webhooks according to theofficial documentation.

Changes

  • Implemented theGenSign function based on Feishu's official Go sample code
  • Modified the webhook request creation to include timestamp and signature in the payload when a secret is configured
  • Fixed the signature generation algorithm to properly use HMAC-SHA256 with the correct string format

Implementation Details

The signature verification works as follows:

  1. When a webhook secret is provided, a timestamp is generated
  2. The signature string is created usingtimestamp + "\n" + secret
  3. The HMAC-SHA256 algorithm is applied to an empty string using the signature string as the key
  4. The result is Base64 encoded to produce the final signature
  5. Both timestamp and signature are added to the payload

According to Feishu's documentation, the timestamp must be within 1 hour (3600 seconds) of the current time to be considered valid.

Security Note

Feishu emphasizes the importance of keeping webhook URLs secure. Do not disclose them on GitHub, blogs, or any public sites to prevent unauthorized use.

References

@GiteaBotGiteaBot added the lgtm/need 2This PR needs two approvals by maintainers to be considered for merging. labelJun 20, 2025
@github-actionsgithub-actionsbot added the modifies/goPull requests that update Go code labelJun 20, 2025
@techknowlogicktechknowlogick added backport/v1.24This PR should be backported to Gitea 1.24 type/bug labelsJun 20, 2025
@SnowballXueQiu
Copy link
ContributorAuthor

@techknowlogick All errors fixed

**Performance Overhead**   `fmt.Sprintf` is **slower** than simple string concatenation or `strconv.FormatInt` because:   * It uses reflection and parsing logic internally.   * It's designed for formatting many types, not just basic strings or numbers.Co-Authored-By: hiifong <i@hiif.ong>
@wxiaoguang
Copy link
Contributor

Added a test (the test data is generated by Feishu python demo), and simplified the code a little

@SnowballXueQiu
Copy link
ContributorAuthor

@wxiaoguang Sorry, due to a funny problem, one of your commit(probably called 'change a better name') was reverted. Please push your code again.

@wxiaoguang
Copy link
Contributor

Done. Hopefully the updated code looks good to you.

Thank you very much for the PR

@wxiaoguangwxiaoguang added this to the1.25.0 milestoneJun 20, 2025
@GiteaBotGiteaBot added lgtm/need 1This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2This PR needs two approvals by maintainers to be considered for merging. labelsJun 20, 2025
@GiteaBotGiteaBot added lgtm/doneThis PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1This PR needs approval from one additional maintainer to be merged. labelsJun 20, 2025
@lunnylunny added the reviewed/wait-mergeThis pull request is part of the merge queue. It will be merged soon. labelJun 20, 2025
@lunnylunny merged commit40dec17 intogo-gitea:mainJun 20, 2025
26 checks passed
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull requestJun 20, 2025
# Fix Feishu Webhook Signature VerificationThis PR implements proper signature verification for Feishu (Lark)webhooks according to the [officialdocumentation](https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot).## Changes- Implemented the `GenSign` function based on Feishu's official Gosample code- Modified the webhook request creation to include timestamp andsignature in the payload when a secret is configured- Fixed the signature generation algorithm to properly use HMAC-SHA256with the correct string format## Implementation DetailsThe signature verification works as follows:1. When a webhook secret is provided, a timestamp is generated2. The signature string is created using `timestamp + "\n" + secret`3. The HMAC-SHA256 algorithm is applied to an empty string using thesignature string as the key4. The result is Base64 encoded to produce the final signature5. Both timestamp and signature are added to the payloadAccording to Feishu's documentation, the timestamp must be within 1 hour(3600 seconds) of the current time to be considered valid.## Security NoteFeishu emphasizes the importance of keeping webhook URLs secure. Do notdisclose them on GitHub, blogs, or any public sites to preventunauthorized use.## References- [Feishu Custom BotDocumentation](https://open.feishu.cn/document/client-docs/bot-v3/add-custom-bot)---------Co-authored-by: hiifong <i@hiif.ong>Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBotGiteaBot added backport/doneAll backports for this PR have been created and removed reviewed/wait-mergeThis pull request is part of the merge queue. It will be merged soon. labelsJun 20, 2025
@wxiaoguang
Copy link
Contributor

Found that the fix is incomplete, there is no "Secret" input on the UI

zjjhot added a commit to zjjhot/gitea that referenced this pull requestJun 23, 2025
* giteaofficial/main: (22 commits)  [skip ci] Updated translations via Crowdin  Fix required contexts and commit status matching bug (go-gitea#34815)  Add "Cancel workflow run" button to Actions list page (go-gitea#34817)  Use `shallowRef` instead of `ref` in `.vue` files where possible (go-gitea#34813)  Edit file workflow for creating a fork and proposing changes (go-gitea#34240)  Refactor packages (go-gitea#34777)  Refactor wiki (go-gitea#34805)  [skip ci] Updated translations via Crowdin  Upgrade htmx to 2.0.5 (go-gitea#34809)  Forks repository list page follow other repositories page (go-gitea#34784)  Add post-installation redirect based on admin account status (go-gitea#34493)  Rework delete org and rename org UI (go-gitea#34762)  Refactor editor (go-gitea#34780)  Improve img lazy loading (go-gitea#34804)  [skip ci] Updated translations via Crowdin  Fix Feishu webhook signature verification (go-gitea#34788)  Upgrade chi to v5.2.2 (go-gitea#34798)  Fix the issue of abnormal interface when there is no issue-item on the project page (go-gitea#34791)  Fix container range bug (go-gitea#34795)  Fix OCI manifest parser (go-gitea#34797)  ...
@wxiaoguang
Copy link
Contributor

-> Refactor webhook and fix feishu/lark secret#34961

@go-giteago-gitea locked asresolvedand limited conversation to collaboratorsSep 19, 2025
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@wxiaoguangwxiaoguangwxiaoguang approved these changes

+1 more reviewer

@hiifonghiifonghiifong approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/doneAll backports for this PR have been createdbackport/v1.24This PR should be backported to Gitea 1.24lgtm/doneThis PR has enough approvals to get merged. There are no important open reservations anymore.modifies/goPull requests that update Go codetype/bug

Projects

None yet

Milestone

1.25.0

Development

Successfully merging this pull request may close these issues.

6 participants

@SnowballXueQiu@wxiaoguang@hiifong@lunny@techknowlogick@GiteaBot
[8]ページ先頭
©2009-2025 Movatter.jp