Custom Header Support

Does Shotgun Webhooks development team plan to support custom headers?
Our team needs to authenticate users (in this case, Shotgun Webhook) who come to the AWS API Gateway with x-api-key header.
Ref. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-key-source.html

4 Likes

Hi @koya_iwamura,

Welcome to the community and thanks for posting! Let me check it out with the webhooks experts.

2 Likes

Hi @koya_iwamura,
Thank you very much for the request. We had no concrete plans to support custom headers but your use case makes total sense.

I have opened a ticket for this.

3 Likes

Hi @koya_iwamura, I was looking into the custom headers suggestion, however, the doc you sent contains two different approaches to providing the authentication, is it possible that you could use the AUTHORIZER method instead?
I’ll admit I’ve not tried that myself self so I don’t know how simple it is or if there are any limitations?

2 Likes

The AUTHORIZER method is not suitable for Webhooks because they have to log in first to receive the token and then grant the token to make the request.
If Webhooks can send requests with arbitrary headers except the existing ones in Webhooks, then we can handle a variety of events(including authorization) with headers in the future.

1 Like

Wanted to provide an update that security implications were too great for us to support arbitrary custom headers. We may instead consider a more curated list.

1 Like

+1 on this, for what it’s worth. @zoe I would mention that not allowing us to put x-api-key in the header is a rather large security issue on our end, as we have to leave our AWS API gateway endpoints pretty much wide open. I realize that we can use the secure token to validate the request, but it would be MUCH easier to let AWS do this for us and discard any requests that are not authorized. Furthermore, AWS is going to charge us for compute time here, since we are going to have to validate the request inside the Lambda function. Please implement this ASAP.

1 Like