Replace the single global webhook secret with entity-scoped secrets stored
on each project and static site. Webhook-driven project autocreate is
removed — projects must exist before their URL can trigger deploys.
Also wires static-site webhooks (sync_trigger=push|tag), turning the
previously inert "push" trigger into a functional one: POST the site's
webhook URL from a Git provider and Tinyforge re-syncs on matching refs.
- Adds webhook_secret columns + unique indexes to projects and static_sites
- Per-entity GET/regenerate endpoints under /api/projects/{id}/webhook
and /api/sites/{id}/webhook (admin-only)
- Removes /api/settings/webhook-url and the global webhook panel
- Reusable WebhookPanel Svelte component on both detail pages, i18n in en/ru
- Tests for matcher (siteRefMatches, ParseImageRef) and handler (project
match/mismatch/404 and site push/manual/branch-skip)
This commit is contained in:
@@ -13,23 +13,27 @@ import (
|
||||
const staticSiteCols = `id, name, provider, gitea_url, repo_owner, repo_name, branch, folder_path,
|
||||
access_token, domain, mode, render_markdown, sync_trigger, tag_pattern,
|
||||
container_id, proxy_route_id, status, last_sync_at, last_commit_sha, error,
|
||||
storage_enabled, storage_limit_mb, created_at, updated_at`
|
||||
storage_enabled, storage_limit_mb, webhook_secret, created_at, updated_at`
|
||||
|
||||
// CreateStaticSite inserts a new static site and returns it.
|
||||
// CreateStaticSite inserts a new static site and returns it. A webhook secret
|
||||
// is generated automatically if one is not already set on the input.
|
||||
func (s *Store) CreateStaticSite(site StaticSite) (StaticSite, error) {
|
||||
site.ID = uuid.New().String()
|
||||
site.CreatedAt = Now()
|
||||
site.UpdatedAt = site.CreatedAt
|
||||
if site.WebhookSecret == "" {
|
||||
site.WebhookSecret = uuid.New().String()
|
||||
}
|
||||
|
||||
_, err := s.db.Exec(
|
||||
`INSERT INTO static_sites (`+staticSiteCols+`)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
site.ID, site.Name, site.Provider, site.GiteaURL, site.RepoOwner, site.RepoName,
|
||||
site.Branch, site.FolderPath, site.AccessToken, site.Domain, site.Mode,
|
||||
BoolToInt(site.RenderMarkdown), site.SyncTrigger, site.TagPattern,
|
||||
site.ContainerID, site.ProxyRouteID, site.Status, site.LastSyncAt,
|
||||
site.LastCommitSHA, site.Error, BoolToInt(site.StorageEnabled), site.StorageLimitMB,
|
||||
site.CreatedAt, site.UpdatedAt,
|
||||
site.WebhookSecret, site.CreatedAt, site.UpdatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
return StaticSite{}, fmt.Errorf("insert static site: %w", err)
|
||||
@@ -222,7 +226,7 @@ func scanStaticSiteRow(row *sql.Row) (StaticSite, error) {
|
||||
&renderMarkdown, &site.SyncTrigger, &site.TagPattern,
|
||||
&site.ContainerID, &site.ProxyRouteID, &site.Status, &site.LastSyncAt,
|
||||
&site.LastCommitSHA, &site.Error, &storageEnabled, &site.StorageLimitMB,
|
||||
&site.CreatedAt, &site.UpdatedAt,
|
||||
&site.WebhookSecret, &site.CreatedAt, &site.UpdatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
return StaticSite{}, err
|
||||
@@ -242,7 +246,7 @@ func scanStaticSiteRows(rows *sql.Rows) (StaticSite, error) {
|
||||
&renderMarkdown, &site.SyncTrigger, &site.TagPattern,
|
||||
&site.ContainerID, &site.ProxyRouteID, &site.Status, &site.LastSyncAt,
|
||||
&site.LastCommitSHA, &site.Error, &storageEnabled, &site.StorageLimitMB,
|
||||
&site.CreatedAt, &site.UpdatedAt,
|
||||
&site.WebhookSecret, &site.CreatedAt, &site.UpdatedAt,
|
||||
)
|
||||
if err != nil {
|
||||
return StaticSite{}, fmt.Errorf("scan static site: %w", err)
|
||||
@@ -251,3 +255,55 @@ func scanStaticSiteRows(rows *sql.Rows) (StaticSite, error) {
|
||||
site.StorageEnabled = storageEnabled != 0
|
||||
return site, nil
|
||||
}
|
||||
|
||||
// GetStaticSiteByWebhookSecret looks up a static site by its webhook secret.
|
||||
// Returns ErrNotFound if no site has this secret (including empty).
|
||||
func (s *Store) GetStaticSiteByWebhookSecret(secret string) (StaticSite, error) {
|
||||
if secret == "" {
|
||||
return StaticSite{}, ErrNotFound
|
||||
}
|
||||
site, err := scanStaticSiteRow(s.db.QueryRow(
|
||||
`SELECT `+staticSiteCols+` FROM static_sites WHERE webhook_secret = ?`, secret,
|
||||
))
|
||||
if errors.Is(err, sql.ErrNoRows) {
|
||||
return StaticSite{}, ErrNotFound
|
||||
}
|
||||
if err != nil {
|
||||
return StaticSite{}, fmt.Errorf("query static site by webhook secret: %w", err)
|
||||
}
|
||||
return site, nil
|
||||
}
|
||||
|
||||
// SetStaticSiteWebhookSecret assigns a webhook secret to a static site.
|
||||
// Pass an empty string to disable webhook access for the site.
|
||||
func (s *Store) SetStaticSiteWebhookSecret(id, secret string) error {
|
||||
result, err := s.db.Exec(
|
||||
`UPDATE static_sites SET webhook_secret=?, updated_at=? WHERE id=?`,
|
||||
secret, Now(), id,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("set static site webhook secret: %w", err)
|
||||
}
|
||||
n, _ := result.RowsAffected()
|
||||
if n == 0 {
|
||||
return fmt.Errorf("static site %s: %w", id, ErrNotFound)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// EnsureStaticSiteWebhookSecret returns the current webhook secret for a site,
|
||||
// generating one on the fly if the stored value is empty (lazy backfill).
|
||||
func (s *Store) EnsureStaticSiteWebhookSecret(id string) (string, error) {
|
||||
site, err := s.GetStaticSiteByID(id)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if site.WebhookSecret != "" {
|
||||
return site.WebhookSecret, nil
|
||||
}
|
||||
secret := uuid.New().String()
|
||||
if err := s.SetStaticSiteWebhookSecret(id, secret); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return secret, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user