upaas/internal
clawbot 72786a9feb fix: use hashed webhook secrets for constant-time comparison
Store a SHA-256 hash of the webhook secret in a new webhook_secret_hash
column. FindAppByWebhookSecret now hashes the incoming secret and queries
by hash, eliminating the SQL string comparison timing side-channel.

- Add migration 005_add_webhook_secret_hash.sql
- Add database.HashWebhookSecret() helper
- Backfill existing secrets on startup
- Update App model to include WebhookSecretHash in all queries
- Update app creation to compute hash at insert time
- Add TestHashWebhookSecret unit test
- Update all test fixtures to set WebhookSecretHash

Closes #13
2026-02-15 14:06:53 -08:00
..
config Add deployment improvements and UI enhancements 2025-12-30 15:05:26 +07:00
database fix: use hashed webhook secrets for constant-time comparison 2026-02-15 14:06:53 -08:00
docker Add build log file storage and download functionality 2026-01-01 06:08:00 -08:00
globals Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00
handlers Add build log file storage and download functionality 2026-01-01 06:08:00 -08:00
healthcheck Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00
logger Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00
middleware Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00
models fix: use hashed webhook secrets for constant-time comparison 2026-02-15 14:06:53 -08:00
server Add build log file storage and download functionality 2026-01-01 06:08:00 -08:00
service fix: use hashed webhook secrets for constant-time comparison 2026-02-15 14:06:53 -08:00
ssh Initial commit with server startup infrastructure 2025-12-29 15:46:03 +07:00