Invalid Secret Errors

Paul_Wilkinson · July 17, 2022, 2:24pm

I am following this tutorial : https://www.mongodb.com/docs/atlas/app-services/tutorial/backend/

When GitHub tries to call the webhook I get an error due to an invalid secret. I can see the errors in the logs at both ends, and they both say that the secret is invalid.

The steps I am using to set up the secret:

On the realm endpoint, under authorisation I set ‘request validation’ to `require secret’ and then create a secret called ‘tutorial’ whose value is ‘tutorial.
On GitHub, just go to the web hook, tap ‘change secret’ and enter ‘tutorial’.

Some things I have tried:

I have updated the secret several times. The secret name and the secret are both ‘tutorial’.
I have tried Application and System authentication on the Realm side
I have left the endpoint as POST
I left SSL enabled in GitHub

Any ideas what else I can try?
Cheers!

Adan_Aguilar · November 7, 2022, 7:36pm

I have the same problem. how did you resolved it?

santimir · December 28, 2022, 6:32pm

I know this is old but may help other users.

You may have missed this line from the tutorial:

This requires all incoming requests to include the query parameter secret=tutorial in the request URL.

So the actual secret that GH stores isn’t very important, the essential bit is to write your url as https://yourAtlasRealmUrl?secret=mysecret. Now from my understanding this isn’t a good idea. See this SO discussion.

I don’t know of any other way to be honest. @Paul_Wilkinson @Adan_Aguilar

Rahul_Pathak1 · July 1, 2023, 11:07pm

Yes, this is what I also end up doing.

But as you already mentioned this is not very secure.

Don’t know why MongoDB did not corrected this still.