From 03d6c55855ee4c60a4e7e5a7c5f405dd60f2b51d Mon Sep 17 00:00:00 2001 From: Catherine Date: Mon, 15 Sep 2025 16:25:33 +0000 Subject: [PATCH] Allow supplying `Authorization:` via query parameter. There is no other way to authorize GitHub and Gogs webhook payloads. --- README.md | 2 +- src/pages.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 52533ab..328d474 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ DNS is used for authorization of content updates. - If a `[wildcard]` configuration section is specified, and if the suffix of a hostname in a `POST` request is equal to `[wildcard].domain`, then the request is authorized when and only when the repository URL in the event body matches the repository URL computed from the configuration file. Otherwise the next rule is used. -- If a `PUT` or `POST` request is received at `` with an `Authorization: Pages ` header, then the request is authorized when any of the the TXT records at `_git-pages-challenge.` are equal to `SHA256(" ")`. +- If a `PUT` or `POST` request is received at `` with an `Authorization: Pages ` header (or, in absence of such, with an `?Authorization=Pages+` query parameter), then the request is authorized when any of the the TXT records at `_git-pages-challenge.` are equal to `SHA256(" ")`. Architecture diff --git a/src/pages.go b/src/pages.go index 831580d..bc493e1 100644 --- a/src/pages.go +++ b/src/pages.go @@ -174,6 +174,13 @@ func postPage(w http.ResponseWriter, r *http.Request) error { } allowRepoURL = fmt.Sprintf(config.Wildcard.CloneURL, userName, repoName) } else { + // GitHub and Gogs cannot supply an `Authorization:` header. + if r.Header.Get("Authorization") == "" { + if value := r.URL.Query().Get("Authorization"); value != "" { + r.Header.Set("Authorization", value) + } + } + if err := Authorize(w, r); err != nil { return err }