feat: generic webhook provider with JSONPath payload extraction

Add a new "webhook" provider type that accepts arbitrary HTTP POST payloads,
extracts template variables via user-defined JSONPath mappings, and dispatches
notifications through the existing pipeline. Supports three auth modes
(HMAC-SHA256, Bearer token, none), bounded JSONPath cache, and 1MB payload limit.

Full stack: core provider + event parser, API endpoint, DB migration,
capabilities, seeds, default templates (EN/RU), frontend descriptor, i18n.

packages/server/src/notify_bridge_server/api/webhooks.py

@@ -15,6 +15,7 @@ from notify_bridge_core.models.events import ServiceEvent
 from notify_bridge_core.notifications.dispatcher import NotificationDispatcher, TargetConfig
 from notify_bridge_core.providers.gitea.event_parser import parse_webhook as parse_gitea_webhook
 from notify_bridge_core.providers.planka.event_parser import parse_webhook as parse_planka_webhook
+from notify_bridge_core.providers.webhook.event_parser import parse_webhook as parse_generic_webhook
 
 from ..database.engine import get_engine
 from ..database.models import (
@@ -289,6 +290,148 @@ async def planka_webhook(provider_id: int, request: Request):
     return {"ok": True, "dispatched": dispatched}
 
 
+# ---------------------------------------------------------------------------
+# Generic Webhook endpoint
+# ---------------------------------------------------------------------------
+
+def _verify_generic_webhook_auth(
+    config: dict[str, Any],
+    request: Request,
+    raw_body: bytes,
+) -> bool:
+    """Verify authentication for a generic webhook based on configured auth_mode."""
+    auth_mode = config.get("auth_mode", "none")
+
+    if auth_mode == "none":
+        return True
+
+    secret = config.get("webhook_secret", "")
+    if not secret:
+        return False
+
+    if auth_mode == "hmac_sha256":
+        # Support common signature headers
+        signature = (
+            request.headers.get("X-Hub-Signature-256", "")
+            or request.headers.get("X-Webhook-Signature", "")
+            or request.headers.get("X-Signature-256", "")
+        )
+        # Strip "sha256=" prefix if present (GitHub-style)
+        if signature.startswith("sha256="):
+            signature = signature[7:]
+        if not signature:
+            return False
+        expected = hmac.new(secret.encode(), raw_body, hashlib.sha256).hexdigest()
+        return hmac.compare_digest(expected, signature)
+
+    if auth_mode == "bearer_token":
+        auth_header = request.headers.get("Authorization", "")
+        if auth_header.startswith("Bearer "):
+            token = auth_header[7:]
+            return hmac.compare_digest(token, secret)
+        return False
+
+    return False
+
+
+@router.post("/webhook/{provider_id}")
+async def generic_webhook(provider_id: int, request: Request):
+    """Receive a generic webhook, extract variables via JSONPath, and dispatch notifications."""
+    engine = get_engine()
+
+    # --- Load provider and validate auth ---
+    async with AsyncSession(engine) as session:
+        provider = await session.get(ServiceProvider, provider_id)
+        if not provider or provider.type != "webhook":
+            raise HTTPException(status_code=404, detail="Provider not found")
+
+        provider_config = provider.config or {}
+        provider_name = provider.name
+
+    raw_body = await request.body()
+
+    # Enforce payload size limit BEFORE parsing JSON
+    if len(raw_body) > 1_000_000:
+        raise HTTPException(status_code=413, detail="Payload too large (max 1 MB)")
+
+    if not _verify_generic_webhook_auth(provider_config, request, raw_body):
+        raise HTTPException(status_code=403, detail="Authentication failed")
+
+    # Parse JSON payload
+    try:
+        payload = await request.json()
+    except Exception:
+        raise HTTPException(status_code=400, detail="Invalid JSON")
+
+    # Parse via JSONPath mappings
+    req_headers = dict(request.headers)
+    event = parse_generic_webhook(payload, provider_name, provider_config, headers=req_headers)
+    if event is None:
+        return {"ok": True, "skipped": "parse failed"}
+
+    # Inject source IP
+    source_ip = request.client.host if request.client else ""
+    event.extra["source_ip"] = source_ip
+
+    # --- Find trackers for this provider and dispatch ---
+    dispatched = 0
+    async with AsyncSession(engine) as session:
+        tracker_result = await session.exec(
+            select(NotificationTracker).where(
+                NotificationTracker.provider_id == provider_id,
+                NotificationTracker.enabled == True,
+            )
+        )
+        trackers = tracker_result.all()
+
+        for tracker in trackers:
+            filters = tracker.filters or {}
+            if not _passes_filters(event, filters):
+                _LOGGER.debug(
+                    "Event filtered out for tracker %d (%s)", tracker.id, tracker.name
+                )
+                continue
+
+            link_data = await load_link_data(session, tracker.id)
+            if not link_data:
+                continue
+
+            # Log event
+            session.add(EventLog(
+                tracker_id=tracker.id,
+                tracker_name=tracker.name,
+                provider_id=provider_id,
+                provider_name=provider_name,
+                event_type=event.event_type.value,
+                collection_id=event.collection_id,
+                collection_name=event.collection_name,
+                assets_count=0,
+                details={
+                    "provider_type": "webhook",
+                    "event_type_raw": event.extra.get("event_type_raw", ""),
+                    "source_ip": source_ip,
+                },
+            ))
+
+            # Dispatch to targets
+            dispatcher = NotificationDispatcher()
+            target_configs = _build_target_configs(event, link_data, provider_config)
+            if target_configs:
+                results = await dispatcher.dispatch(event, target_configs)
+                for r in results:
+                    if r.get("success"):
+                        dispatched += 1
+                    else:
+                        _LOGGER.error(
+                            "Notification failed for tracker %d: %s",
+                            tracker.id, r.get("error", "unknown"),
+                        )
+
+        await session.commit()
+
+    return {"ok": True, "dispatched": dispatched}
+
+
 def _build_target_configs(
     event: ServiceEvent,
     link_data: list[dict[str, Any]],