Zotonic Deployment with Github: Authentication Sort of Solved

Although there is no official authentication spec, a shared key and source IP verification is better than nothing and is what I implemented.

It turns out that authentication is not impossible, but is certainly also not terribly likely to provide any assurance of integrity.  However, it is better than nothing and the best I have to offer at the moment.

I implemented a pair of simple verifications to protect users of mod_github_sync: source IP white-listing and URL token verification.  Both have obvious weaknesses, but together they certainly keep the run of the mill vandal off the scent.

A denial of service is possible with this module as a determined attacker could tie up the server with a lot of git pulls and module rescans if they manage to spoof the IPs and guess the token.

My assessment is that anyone capable of spoofing IPs in a TCP session likely has easier ways of attacking the Zotonic server than this.