Refuse an installation if response is not 200


#1

Hi, is it possible to refuse an GithubApp installation request if the callback URL returns a not 200 response ?
At the moment it seems to me that the application will be installed in any case.


#3

Hi @zazasa :wave:

Hi, is it possible to refuse an GithubApp installation request if the callback URL returns a not 200 response ?
At the moment it seems to me that the application will be installed in any case.

No, that’s not possible currently. Could you clarify why this would be useful to you – what’s your specific use-case here? I’d be happy to pass that along to the team.


#4

Hello @izuzak,

thanks for your time :).

I am developing a service to allow my user to store their GitHub release into my system.
I want accept only the payloads coming from github user linked to my internal user account, so it will make no sense for me to receive the payload from other github users.
In order to do it, i will ask my users to verify their github account using OAuth, and then i ask them to install the github Application.
Then when i receive the payload of an installation (X-GitHub-Event: installation), i want to check if the user is present in my system, and if not, just refuse the installation (maybe with a nice feedback, i could send a 401 with a message).

Of course, if this is not possible, i can still use it, just ignoring any payload from “non accepted” user, but as you can see would be much more cleaner in the way that i propose.

I hope it is clear enough. Let me know if you need more information.


#5

We are in a similar situation, we are building a CLA platform for GitHub but only wants to authorize installation for people that have enrolled in the service before hand (uploaded CLA Legal Documents, etc…). Of course we can ignore webhooks, but that will still cost us X dollars in lambda fees to process those unnecessary requests coming in.


#6

Thanks so much for sharing your use-cases, @zazasa @zikphil :bow: – I’ve passed this along to the team internally to consider. We’ll followup as soon as there’s any news on this, but I can’t promise an ETA.


#7

I’d like to +1 this functionality as well, but would request the ability to be able to remove an installation, so if the customer closes their account, we can remove the installation for them. If they then enable an installation, we could then use the same functionality to remove it, but ideally there’d be some user feedback on the GitHub side so they knew the installation was removed/rejected.


#8

Yes I agree this would also be a very welcomed addition.