fix(docker-watcher): address final review findings

Security: - Move config export behind auth middleware - Validate OIDC callback token before storing in localStorage - Use constant-time comparison for webhook secret - Encrypt OIDC client secret at rest (like registry tokens) Performance: - Make TriggerDeploy async from HTTP handlers (return deploy ID immediately, run pipeline in background goroutine) Robustness: - Wrap api.ts res.json() in try/catch for non-JSON responses i18n: - Replace ~20 hardcoded English validation messages with $t() calls - Localize ConfirmDialog cancel button, InstanceCard confirm titles, ProjectCard instance/instances pluralization - Add validation keys to both en.json and ru.json
2026-03-28 00:14:53 +03:00
parent a3aa5912d9
commit 1f81ca9eb0
17 changed files with 178 additions and 40 deletions
@@ -10,6 +10,7 @@ import (
 	"github.com/go-chi/chi/v5"

 	"github.com/alexei/docker-watcher/internal/auth"
+	"github.com/alexei/docker-watcher/internal/crypto"
 	"github.com/alexei/docker-watcher/internal/store"
 )

@@ -207,12 +208,23 @@ func (s *Server) updateAuthSettings(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// If client secret is masked, preserve the existing value.
+	// If client secret is masked, preserve the existing encrypted value.
 	if req.OIDCClientSecret == "********" || req.OIDCClientSecret == "" {
 		existing, err := s.store.GetAuthSettings()
 		if err == nil {
 			req.OIDCClientSecret = existing.OIDCClientSecret
 		}
+	} else {
+		// Encrypt the new client secret before storage.
+		encrypted, err := crypto.Encrypt(s.encKey, req.OIDCClientSecret)
+		if err != nil {
+			respondError(w, http.StatusInternalServerError, "failed to encrypt OIDC client secret")
+			return
+		}
+		// Keep plaintext for OIDC init below, store encrypted.
+		plaintextSecret := req.OIDCClientSecret
+		req.OIDCClientSecret = encrypted
+		defer func() { req.OIDCClientSecret = plaintextSecret }()
 	}

 	if err := s.store.UpdateAuthSettings(req); err != nil {
@@ -137,16 +137,18 @@ func (s *Server) quickDeploy(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// Trigger deploy.
-	if err := s.deployer.TriggerDeploy(r.Context(), project.ID, stage.ID, req.Tag); err != nil {
+	// Trigger deploy asynchronously.
+	deployID, err := s.deployer.AsyncTriggerDeploy(r.Context(), project.ID, stage.ID, req.Tag)
+	if err != nil {
 		respondError(w, http.StatusInternalServerError, "failed to trigger deploy: "+err.Error())
 		return
 	}

 	respondJSON(w, http.StatusAccepted, map[string]any{
-		"project": project,
-		"stage":   stage,
-		"tag":     req.Tag,
+		"project":   project,
+		"stage":     stage,
+		"tag":       req.Tag,
+		"deploy_id": deployID,
 		"status":  "deploying",
 	})
 }
@@ -74,12 +74,14 @@ func (s *Server) deployInstance(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if err := s.deployer.TriggerDeploy(r.Context(), projectID, stageID, req.ImageTag); err != nil {
+	deployID, err := s.deployer.AsyncTriggerDeploy(r.Context(), projectID, stageID, req.ImageTag)
+	if err != nil {
 		respondError(w, http.StatusInternalServerError, "failed to trigger deploy: "+err.Error())
 		return
 	}
 	respondJSON(w, http.StatusAccepted, map[string]string{
 		"status":     "deploying",
+		"deploy_id":  deployID,
 		"project_id": projectID,
 		"stage_id":   stageID,
 		"image_tag":  req.ImageTag,
@@ -188,4 +190,5 @@ func (s *Server) controlInstance(w http.ResponseWriter, r *http.Request, action
 // DeployTriggerer is the interface for triggering deployments.
 type DeployTriggerer interface {
 	TriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) error
+	AsyncTriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) (string, error)
 }
@@ -7,6 +7,7 @@ import (
 	"github.com/go-chi/chi/v5"

 	"github.com/alexei/docker-watcher/internal/auth"
+	"github.com/alexei/docker-watcher/internal/crypto"
 	"github.com/alexei/docker-watcher/internal/docker"
 	"github.com/alexei/docker-watcher/internal/events"
 	"github.com/alexei/docker-watcher/internal/store"
@@ -57,10 +58,18 @@ func NewServer(

 // initOIDCProvider creates an OIDC provider from settings. Errors are logged, not fatal.
 func (s *Server) initOIDCProvider(ctx context.Context, as store.AuthSettings) {
+	// Decrypt the OIDC client secret if it's encrypted.
+	clientSecret := as.OIDCClientSecret
+	if clientSecret != "" {
+		if decrypted, err := crypto.Decrypt(s.encKey, clientSecret); err == nil {
+			clientSecret = decrypted
+		}
+		// If decrypt fails, assume it's already plaintext (migration scenario).
+	}
 	provider, err := auth.NewOIDCProvider(ctx, auth.OIDCConfig{
 		IssuerURL:    as.OIDCIssuerURL,
 		ClientID:     as.OIDCClientID,
-		ClientSecret: as.OIDCClientSecret,
+		ClientSecret: clientSecret,
 		RedirectURL:  as.OIDCRedirectURL,
 	})
 	if err != nil {
@@ -90,13 +99,13 @@ func (s *Server) Router() chi.Router {
 		// Webhook handler (uses its own secret-based auth).
 		r.Mount("/webhook", s.webhook.Route())

-		// Config export (public endpoint, useful for backup).
-		r.Get("/config/export", s.exportConfig)
-
 		// Protected routes: require valid JWT.
 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(s.localAuth))

+			// Config export (protected — reveals project/infra details).
+			r.Get("/config/export", s.exportConfig)
+
 			// Auth management.
 			r.Get("/auth/me", s.currentUser)
 			r.Get("/auth/settings", s.getAuthSettings)
@@ -72,8 +72,54 @@ func (d *Deployer) Drain() {
 	slog.Info("deployer: all deploys drained")
 }

-// TriggerDeploy is the main entry point for deployments. It orchestrates the full flow:
-// pull image -> create container -> start -> configure proxy -> health check.
+// AsyncTriggerDeploy creates a deploy record and returns the deploy ID immediately,
+// then runs the full deploy pipeline in a background goroutine. Use this from HTTP handlers
+// to avoid blocking the request. Progress is streamed via SSE.
+func (d *Deployer) AsyncTriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) (string, error) {
+	if d.shuttingDown.Load() {
+		return "", fmt.Errorf("deployer is shutting down, rejecting new deploy")
+	}
+
+	// Validate inputs synchronously so the caller gets immediate feedback.
+	project, err := d.store.GetProjectByID(projectID)
+	if err != nil {
+		return "", fmt.Errorf("get project: %w", err)
+	}
+	stage, err := d.store.GetStageByID(stageID)
+	if err != nil {
+		return "", fmt.Errorf("get stage: %w", err)
+	}
+	if err := d.validatePromoteFrom(stage, imageTag); err != nil {
+		return "", fmt.Errorf("promote validation: %w", err)
+	}
+
+	// Create deploy record synchronously so caller gets the ID.
+	deploy, err := d.store.CreateDeploy(store.Deploy{
+		ProjectID: projectID,
+		StageID:   stageID,
+		ImageTag:  imageTag,
+		Status:    "pending",
+	})
+	if err != nil {
+		return "", fmt.Errorf("create deploy record: %w", err)
+	}
+
+	// Run the actual deploy in the background.
+	d.activeWg.Add(1)
+	go func() {
+		defer d.activeWg.Done()
+		// Use a detached context so client disconnect doesn't abort the deploy.
+		bgCtx := context.Background()
+		if err := d.runDeploy(bgCtx, project, stage, deploy.ID, imageTag); err != nil {
+			slog.Error("async deploy failed", "deploy_id", deploy.ID, "error", err)
+		}
+	}()
+
+	return deploy.ID, nil
+}
+
+// TriggerDeploy is the synchronous entry point for deployments (used by poller and webhook).
+// It orchestrates the full flow: pull image -> create container -> start -> configure proxy -> health check.
 // On failure, it rolls back (removes container, deletes proxy host, updates status).
 func (d *Deployer) TriggerDeploy(ctx context.Context, projectID, stageID, imageTag string) error {
 	if d.shuttingDown.Load() {
@@ -2,6 +2,7 @@ package webhook

 import (
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -144,7 +145,7 @@ func (h *Handler) handleWebhook(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if settings.WebhookSecret == "" || settings.WebhookSecret != secret {
+	if settings.WebhookSecret == "" || subtle.ConstantTimeCompare([]byte(settings.WebhookSecret), []byte(secret)) != 1 {
 		http.NotFound(w, r)
 		return
 	}