DRONE_ENV_PLUGIN_TOKEN does not allow DRONE_ENV_PLUGIN_ENDPOINT verification via http signature

denisn-ewave · June 9, 2021, 6:03am

Env variables:
DRONE_ENV_PLUGIN_ENDPOINT=http://host.docker.internal:3980/api/ci/env
DRONE_ENV_PLUGIN_TOKEN=super-duper-secret
DRONE_YAML_ENDPOINT=http://host.docker.internal:3980/api/ci/yaml
DRONE_YAML_SECRET=super-duper-secret

Server use HttpSignature ( http-signature - npm ) package to verify the authenticity and integrity for YAML and ENV endpoints :

async authenticate(req, h) {
      const parsedSignature = HttpSignature.parseRequest(req.raw.req);

      if (!HttpSignature.verifyHMAC(parsedSignature, 'super-duper-secret')) {
        return h.unauthenticated(Boom.unauthorized(`Missing or invalid CI secret`));
      }

      return h.authenticated({
        credentials: {
          user: 'ci',
          scope: ['ci'],
        },
      });
    },

Env endpoint (ENV_PLUGIN_ENDPOINT) returns status code 401.
Although for the Yaml endpoint (DRONE_YAML_ENDPOINT) everything works fine and it returns status code 200.

What’s the difference in checking a shared secret for DRONE_ENV_PLUGIN_ENDPOINT and DRONE_YAML_ENDPOINT?

Topic		Replies	Views
[SOLVED] How do I verify the secret for a Drone extension? Drone Support	1	291	June 9, 2021
Drone runner not making secret extension requests to DRONE_SECRET_PLUGIN_ENDPOINT Drone Support	2	307	October 13, 2021
Drone-vault: Missing vault address Drone Support	14	1648	February 4, 2019
Does the "verify" API endpoint work? Drone Support	0	760	January 13, 2021
Drone-cli: plugins "unsupported protocol scheme" Drone Support	2	1849	February 20, 2019

DRONE_ENV_PLUGIN_TOKEN does not allow DRONE_ENV_PLUGIN_ENDPOINT verification via http signature

Related topics