Merge branch '18256-secret-token-docs' into 'master'

Document that webhook secret token is sent in X-Gitlab-Token HTTP header ## What does this MR do? Note that the secret token is sent in the X-Gitlab-Token header on the webhook documentation page, as well as directly below the secret token field on the webhook settings form. ## Are there points in the code the reviewer needs to double check? No. ## Why was this MR needed? It took me a while to figure out how to verify the token in my hook endpoint. Issue #18256 is where I found how to do it. ## What are the relevant issue numbers? #18256 ## Screenshots (if relevant) ## Does this MR meet the acceptance criteria? - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [ ] API support added - Tests - [ ] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) Closes #18256 See merge request !5664

Merge branch '18256-secret-token-docs' into 'master'
Document that webhook secret token is sent in X-Gitlab-Token HTTP header ## What does this MR do? Note that the secret token is sent in the X-Gitlab-Token header on the webhook documentation page, as well as directly below the secret token field on the webhook settings form. ## Are there points in the code the reviewer needs to double check? No. ## Why was this MR needed? It took me a while to figure out how to verify the token in my hook endpoint. Issue #18256 is where I found how to do it. ## What are the relevant issue numbers? #18256 ## Screenshots (if relevant) ## Does this MR meet the acceptance criteria? - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [ ] API support added - Tests - [ ] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) Closes #18256 See merge request !5664
af9127e0 · Rémy Coutable · 0ead7c91 · 27d87d79 · af9127e0 · af9127e0
Commit af9127e0 authored Aug 08, 2016 by Rémy Coutable
Showing with 6 additions and 1 deletion

CHANGELOG CHANGELOG +1 -0

app/views/shared/web_hooks/_form.html.haml app/views/shared/web_hooks/_form.html.haml +1 -1

doc/web_hooks/web_hooks.md doc/web_hooks/web_hooks.md +4 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -39,6 +39,7 @@ v 8.11.0 (unreleased)
  - Include old revision in merge request update hooks (Ben Boeckel)
  - Add build event color in HipChat messages (David Eisner)
  - Make fork counter always clickable. !5463 (winniehell)
+  - Document that webhook secret token is sent in X-Gitlab-Token HTTP header !5664 (lycoperdon)
  - Gitlab::Highlight is now instrumented
  - All created issues, API or WebUI, can be submitted to Akismet for spam check !5333
  - The overhead of instrumented method calls has been reduced

--- a/app/views/shared/web_hooks/_form.html.haml
+++ b/app/views/shared/web_hooks/_form.html.haml
@@ -19,7 +19,7 @@
        = f.label :token, "Secret Token", class: 'label-light'
        = f.text_field :token, class: "form-control", placeholder: ''
        %p.help-block
-          Use this token to validate received payloads
+          Use this token to validate received payloads. It will be sent with the request in the X-Gitlab-Token HTTP header.
      .form-group
        = f.label :url, "Trigger", class: 'label-light'
        %ul.list-unstyled

--- a/doc/web_hooks/web_hooks.md
+++ b/doc/web_hooks/web_hooks.md
@@ -26,6 +26,10 @@ GitLab webhooks keep in mind the following things:
    you are writing a low-level hook this is important to remember.
 -   GitLab ignores the HTTP status code returned by your endpoint.

+## Secret Token
+
+If you specify a secret token, it will be sent with the hook request in the `X-Gitlab-Token` HTTP header. Your webhook endpoint can check that to verify that the request is legitimate.
+
 ## SSL Verification

 By default, the SSL certificate of the webhook endpoint is verified based on