alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(webhook): HMAC-SHA256 signature verification on inbound webhooks

Browse Source 
Adds an opt-in inbound HMAC scheme so a leaked URL alone is not enough
to forge deploy/sync requests — the caller must also know a separate
signing secret. Header format is X-Hub-Signature-256, matching the
Gitea/GitHub/GitLab convention so existing CI integrations work without
custom code.

Behaviour:
- per-project / per-site signing_secret is independent of the URL secret
- require_signature flag does a hard 401 on missing/invalid signatures
- even when require_signature is off, an *invalid* submitted signature
  returns 401 — surfaces CI misconfiguration instead of silently passing
- comparison uses subtle/hmac.Equal (constant time)

Backend:
- store: webhook_signing_secret + webhook_require_signature columns on
  projects + static_sites; scanProject helper, scan helpers updated; new
  Set* helpers for both fields
- webhook/handler: verifyHMAC helper, body read once, integrated into
  both project and site handlers
- api: per-entity signing-secret rotate / disable / require-toggle
  endpoints under /api/{projects,sites}/{id}/webhook/...

Frontend:
- WebhookPanel gains optional signing handlers (no breaking change for
  existing callers; signing UI hides when handlers aren't wired)
- one-shot reveal of the issued secret with copy + dismiss
- ToggleSwitch for require-signature, disabled until a secret is issued
- en/ru i18n strings

Tests:
- HMACRequiredAndValid (200 + deploy fires)
- HMACRequiredButMissing (401, no deploy)
- HMACPresentButWrong (401 even when require_signature=false)
- HMACOptionalUnsignedAccepted (200 when neither configured)
This commit is contained in:
Admin
2026-05-07 02:34:40 +03:00
parent 793570f4a1
commit 831b5c1a43
14 changed files with 827 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/routes/projects/[id]/+page.svelte
+3
View File
@@ -806,6 +806,9 @@
description={$t('projectDetail.webhookDesc')}
fetchWebhook={() => api.getProjectWebhook(projectId)}
regenerateWebhook={() => api.regenerateProjectWebhook(projectId)}
regenerateSigningSecret={() => api.regenerateProjectSigningSecret(projectId)}
disableSigning={() => api.disableProjectSigningSecret(projectId)}
setRequireSignature={(require) => api.setProjectRequireSignature(projectId, require)}
/>
<!-- Outgoing webhook (where Tinyforge sends events for THIS project). -->
web/src/routes/sites/[id]/+page.svelte
+3
View File
@@ -312,6 +312,9 @@
description={$t('sites.webhookDesc')}
fetchWebhook={() => api.getStaticSiteWebhook(siteId!)}
regenerateWebhook={() => api.regenerateStaticSiteWebhook(siteId!)}
regenerateSigningSecret={() => api.regenerateStaticSiteSigningSecret(siteId!)}
disableSigning={() => api.disableStaticSiteSigningSecret(siteId!)}
setRequireSignature={(require) => api.setStaticSiteRequireSignature(siteId!, require)}
/>
<!-- Outgoing notification URL (per-site override; falls through to global). -->