Skip to content

Add option to skip signature verification #821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 18, 2025
Merged

Add option to skip signature verification #821

merged 8 commits into from
Sep 18, 2025

Conversation

@habara-k
Copy link
Contributor

Changes

  • Allow skipping signature verification for webhooks

Motivation

The signature returned with webhooks is calculated using a single channel secret. If the bot owner changes their channel secret, the signature for webhooks starts being calculated using the new channel secret. To avoid signature verification failures, the bot owner must update the channel secret on their server, which is used for signature verification. However, if there is a timing mismatch in the update—and such a mismatch is almost unavoidable—verification will fail during that period.

In such cases, having an option to skip signature verification for webhooks would be a convenient way to avoid these issues.

Related PRs

@habara-k habara-k force-pushed the allow-to-skip-signature-verification branch from e9cc8d8 to ddbbd44 Compare July 2, 2025 06:39
@habara-k habara-k requested a review from a team July 4, 2025 01:41
Yang-33
Yang-33 reviewed Jul 4, 2025
View reviewed changes
Copy link
Contributor

@Yang-33 Yang-33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you address comments written in line/line-bot-sdk-go#595 (review) in this repository?

@habara-k habara-k requested review from Yang-33 and removed request for Yang-33 July 8, 2025 05:26
@habara-k habara-k force-pushed the allow-to-skip-signature-verification branch from 39d9b47 to 9f0b4f0 Compare July 8, 2025 06:13
@habara-k habara-k requested a review from Yang-33 July 8, 2025 06:18
Yang-33
Yang-33 reviewed Jul 8, 2025
View reviewed changes
README.rst Outdated
# or with skip_signature_verification
parser = linebot.v3.WebhookParser(
'YOUR_CHANNEL_SECRET',
skip_signature_verification=lambda: True # or a function that returns a boolean
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line/line-bot-sdk-go#595 (comment)
Therefor I think False should be used in example.

Yang-33
Yang-33 reviewed Jul 8, 2025
View reviewed changes
linebot/v3/webhook.py
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line/line-bot-sdk-go#595 (comment)

@habara-k habara-k requested a review from Yang-33 September 18, 2025 04:50
@Yang-33
Copy link
Contributor

Yang-33 commented Sep 18, 2025

please release after merging this change~

@habara-k habara-k added this pull request to the merge queue Sep 18, 2025
Merged via the queue into line:master with commit 073747e Sep 18, 2025
13 checks passed
@habara-k habara-k deleted the allow-to-skip-signature-verification branch September 18, 2025 05:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Yang-33 Yang-33 Yang-33 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@habara-k @Yang-33