tiny-forge

alexei.dolgolyov/tiny-forge

Fork 0

Commit Graph

Author	SHA1	Message	Date
alexei.dolgolyov	831b5c1a43	feat(webhook): HMAC-SHA256 signature verification on inbound webhooks Adds an opt-in inbound HMAC scheme so a leaked URL alone is not enough to forge deploy/sync requests — the caller must also know a separate signing secret. Header format is X-Hub-Signature-256, matching the Gitea/GitHub/GitLab convention so existing CI integrations work without custom code. Behaviour: - per-project / per-site signing_secret is independent of the URL secret - require_signature flag does a hard 401 on missing/invalid signatures - even when require_signature is off, an invalid submitted signature returns 401 — surfaces CI misconfiguration instead of silently passing - comparison uses subtle/hmac.Equal (constant time) Backend: - store: webhook_signing_secret + webhook_require_signature columns on projects + static_sites; scanProject helper, scan helpers updated; new Set* helpers for both fields - webhook/handler: verifyHMAC helper, body read once, integrated into both project and site handlers - api: per-entity signing-secret rotate / disable / require-toggle endpoints under /api/{projects,sites}/{id}/webhook/... Frontend: - WebhookPanel gains optional signing handlers (no breaking change for existing callers; signing UI hides when handlers aren't wired) - one-shot reveal of the issued secret with copy + dismiss - ToggleSwitch for require-signature, disabled until a secret is issued - en/ru i18n strings Tests: - HMACRequiredAndValid (200 + deploy fires) - HMACRequiredButMissing (401, no deploy) - HMACPresentButWrong (401 even when require_signature=false) - HMACOptionalUnsignedAccepted (200 when neither configured)	2026-05-07 02:34:40 +03:00
alexei.dolgolyov	0632f512e6	feat(webhook): per-project and per-site webhook URLs Build / build (push) Successful in 10m25s Details Replace the single global webhook secret with entity-scoped secrets stored on each project and static site. Webhook-driven project autocreate is removed — projects must exist before their URL can trigger deploys. Also wires static-site webhooks (sync_trigger=push\|tag), turning the previously inert "push" trigger into a functional one: POST the site's webhook URL from a Git provider and Tinyforge re-syncs on matching refs. - Adds webhook_secret columns + unique indexes to projects and static_sites - Per-entity GET/regenerate endpoints under /api/projects/{id}/webhook and /api/sites/{id}/webhook (admin-only) - Removes /api/settings/webhook-url and the global webhook panel - Reusable WebhookPanel Svelte component on both detail pages, i18n in en/ru - Tests for matcher (siteRefMatches, ParseImageRef) and handler (project match/mismatch/404 and site push/manual/branch-skip)	2026-04-23 15:18:19 +03:00

Author

SHA1

Message

Date

alexei.dolgolyov

831b5c1a43

feat(webhook): HMAC-SHA256 signature verification on inbound webhooks

Adds an opt-in inbound HMAC scheme so a leaked URL alone is not enough
to forge deploy/sync requests — the caller must also know a separate
signing secret. Header format is X-Hub-Signature-256, matching the
Gitea/GitHub/GitLab convention so existing CI integrations work without
custom code.

Behaviour:
- per-project / per-site signing_secret is independent of the URL secret
- require_signature flag does a hard 401 on missing/invalid signatures
- even when require_signature is off, an *invalid* submitted signature
  returns 401 — surfaces CI misconfiguration instead of silently passing
- comparison uses subtle/hmac.Equal (constant time)

Backend:
- store: webhook_signing_secret + webhook_require_signature columns on
  projects + static_sites; scanProject helper, scan helpers updated; new
  Set* helpers for both fields
- webhook/handler: verifyHMAC helper, body read once, integrated into
  both project and site handlers
- api: per-entity signing-secret rotate / disable / require-toggle
  endpoints under /api/{projects,sites}/{id}/webhook/...

Frontend:
- WebhookPanel gains optional signing handlers (no breaking change for
  existing callers; signing UI hides when handlers aren't wired)
- one-shot reveal of the issued secret with copy + dismiss
- ToggleSwitch for require-signature, disabled until a secret is issued
- en/ru i18n strings

Tests:
- HMACRequiredAndValid (200 + deploy fires)
- HMACRequiredButMissing (401, no deploy)
- HMACPresentButWrong (401 even when require_signature=false)
- HMACOptionalUnsignedAccepted (200 when neither configured)

2026-05-07 02:34:40 +03:00

alexei.dolgolyov

0632f512e6

feat(webhook): per-project and per-site webhook URLs

Build / build (push) Successful in 10m25s

Details

Replace the single global webhook secret with entity-scoped secrets stored
on each project and static site. Webhook-driven project autocreate is
removed — projects must exist before their URL can trigger deploys.

Also wires static-site webhooks (sync_trigger=push|tag), turning the
previously inert "push" trigger into a functional one: POST the site's
webhook URL from a Git provider and Tinyforge re-syncs on matching refs.

- Adds webhook_secret columns + unique indexes to projects and static_sites
- Per-entity GET/regenerate endpoints under /api/projects/{id}/webhook
  and /api/sites/{id}/webhook (admin-only)
- Removes /api/settings/webhook-url and the global webhook panel
- Reusable WebhookPanel Svelte component on both detail pages, i18n in en/ru
- Tests for matcher (siteRefMatches, ParseImageRef) and handler (project
  match/mismatch/404 and site push/manual/branch-skip)

2026-04-23 15:18:19 +03:00

2 Commits