eventsub server does not actually enforce webhook_secret verification

Question

eventsub server does not actually enforce webhook_secret verification

kamalmostafa opened this issue 2 years ago · 1 comments

Use the twitch-cli test tool ( https://github.com/twitchdev/twitch-cli ) to generate and send dummy eventsub messages to the TwitchIO eventsub client... but specify a bogus webhook_secret instead of the correct secret, e.g.:
$ twitch -F "$CALLBACK_URL" -s "bogussecret" event trigger follow

TwitchIO recognizes the mismatch and logs in BaseEvent.verify(): Recieved a message with an invalid signature, discarding. but the client then proceeds to run_event() the notification event anyway!

TwitchIO eventsub should (actually) reject messages which don't pass webhook_secret verification.

Answer 1 · 2022-12-08T07:25:19.000Z

Hello! Thanks for the issue. If this is a general help question, for a faster response consider joining the official Discord Server

Else if you have an issue with the library please wait for someone to help you here.