How to restrict GitHub App Usage to Specific Users ?

[Sonali-Behera-TRT]

Select Topic Area

Question

Body

I'm currently beta testing a GitHub app and want to limit its usage to a specific set of users, even though multiple users may install the app on their repositories. The app uses webhook events for triggers, and I am already validating the webhook signatures using a webhook secret to ensure the authenticity of the requests.

However, I need to add an extra layer of authorization where only certain users, who I’ve shared an API key or token with, can interact with my app. The goal is to block unapproved users from using the app, even if they install it. Is it possible to implement this type of access control within the GitHub app environment, or is there a built-in GitHub feature that supports this scenario?

Any guidance or suggestions on how to set up such an authorization system while still ensuring the security and integrity of webhook requests would be appreciated!

[yolorabbit]

Hi @Sonali-Behera-TRT ,

Hope you are doing well.

Unfortunately, GitHub itself doesn't provide direct built-in support for restricting app usage based on custom user-defined conditions (like API keys or a list of approved users).
However, the approach outlined below can be implemented within your app to achieve the same effect.

1. Store approved users.

{
  "approved_users": [
    { "username": "user1", "api_key": "abc123" },
    { "username": "user2", "api_key": "xyz789" }
  ]
}

2. When a webhook event is received.

const approvedUsers = ['user1', 'user2'];  // Your list of approved users
const username = webhookPayload.sender.login;  // Extract GitHub username

if (!approvedUsers.includes(username)) {
  // Block further processing if user is not approved
  return res.status(403).send('Unauthorized user');
}

// Proceed with the event processing if user is approved

Adding this code to your project will solve the issue you are facing.
I wish this will help you.

All the best,
@yolorabbit

[Sonali-Behera-TRT]

Hi @yolorabbit,

Thank you for your suggestion! The approach you've outlined for managing authorized users within the app makes perfect sense. I really appreciate the clarity on checking the username from the webhook payload against a list of approved users.

I’m curious if there’s a way to dynamically pass custom headers or query parameters in the webhook request to help identify users directly via the request URL, rather than processing the payload afterward.

Are there any other headers or built-in fields within the webhook requests that could help restrict usage based on the user before processing the payload? Or perhaps some GitHub app settings that might be useful in this case? Additionally, does GitHub allow anyone to install the app, or is there a way to take input from the user that can help validate them before installation?

Thanks again for your helpful insights!

Best regards,
@Sonali-Behera-TRT

[yolorabbit]

Hi @Sonali-Behera-TRT ,

Actually, Github does not natively support adding custom headers or query parameters in webhook requests. Webhooks from Github are fairly standardized in terms of the structure and the content.

I think these Github Web hook headers and built-in fields will help you restrict app usage.

• X-Github-Event
  It identifies the type of event like push, pull_request. You can use this to only respond to events from approved users.
• X-Hub-Signature and X-Hub-Signature-256
  These signatures verify the webhook's authenticity. I think it's crucial to check them before processing the request.
• X-Github-Delivery Header
  A unique identifier for each delivery. It can be used for tracking purpose.
• Webhook Payload
  The sender field in the webhook payload contains detailed information about the user who triggered the event. This includes Github login(username), id, and profile information. You can use this information to cross-check your list of authorized users.
  This is payload structure.

{
  "sender": {
    "login": "authorized_user",
    "id": 123456,
    "type": "User"
  }
}

It's impossible to dynamically pass extra identifying information (like custom query parameters or headers) within the webhook request sent by Github. We will need to validate the user based on the payload which is the most viable solution.

Best,
@yolorabbit

[Sonali-Behera-TRT]

@yolorabbit Thanks for the helpful insights!