Authenticating requests

[swelcom]

Hello kffl

I don't quite understand the "Authenticating requests" function. If I define a webhooks_secret, I should be able to open the POST at the target URL only if I authenticate with my webhooks_secret. But I can receive and read the POST on the target URL without authentication.
Maybe I understand something wrong?

Thanks for your help.

Greetings
swelcom

[stefan2904]

(I am not the maintainer)

If I define a webhooks_secret, I should be able to open the POST at the target URL only if I authenticate with my webhooks_secret.

No, the other way around. The secret is used to authenticate the message/request. Thus, it can be used by the server at the URL to make sure the request is really from a specific nextcloud. It is in the target server's interest to verify this (or rely on an unguessable URL) to make sure no one else can send requests.

Simplified, the webook plugin uses the secret to authenticate ("log in") at the URL.