Details
Low Description
Issue Summary
When creating a webhook, a user should be able to secure the webhook by adding both basic authentication credentials (if the webhook URL is authenticated) and a secret. This is because the secret is not used to authenticate the request itself, but rather to authenticate the webhook payload and ensure the request transmitted is the one that Bitbucket intended to send. Hence, because each field has a different purpose, they are sent via a different header in the request. Credentials are sent via the Authorization header, whilst the secret is sent via the X-Hub-Signature header. If a user wants to send a request that contains both headers, they'll need to provide both fields. Currently, the UI does not support this.
The secret has been grouped under the "Authentication" heading in the webhook form, however, it should not be. These fields should be separated, which will then allow a user to add both, if desired.
Workaround
A user can create a webhook via REST API with a secret and credentials. The request body should contain the following:
{
...
"configuration" : { "secret": "XXX" },
"credentials": { "username" : "YYY", "password" : "ZZZ" },
...
}
Both headers will then be added to the request respectively.