webhooker

sneak/webhooker

Fork 0

Commit Graph

Author	SHA1	Message	Date
clawbot	0829f9a75d	refactor: replace custom CSRF and rate-limiting with off-the-shelf libraries All checks were successful check / check (push) Successful in 4s Details Replace custom CSRF middleware with gorilla/csrf and custom rate-limiting middleware with go-chi/httprate, as requested in code review. CSRF changes: - Replace session-based CSRF tokens with gorilla/csrf cookie-based double-submit pattern (HMAC-authenticated cookies) - Keep same form field name (csrf_token) for template compatibility - Keep same route exclusions (webhook/API routes) - In dev mode, mark requests as plaintext HTTP to skip Referer check Rate limiting changes: - Replace custom token-bucket rate limiter with httprate sliding-window counter (per-IP, 5 POST requests/min on login endpoint) - Remove custom IP extraction (httprate.KeyByRealIP handles X-Forwarded-For, X-Real-IP, True-Client-IP) - Remove custom cleanup goroutine (httprate manages its own state) Kept as-is: - SSRF prevention code (internal/delivery/ssrf.go) — application-specific - CSRFToken() wrapper function — handlers unchanged Updated README security section and architecture overview to reflect library choices.	2026-03-10 10:05:38 -07:00
clawbot	289f479772	test: add tests for delivery, middleware, and session packages (#32 ) Some checks failed check / check (push) Has been cancelled Details ## Summary Add comprehensive test coverage for three previously-untested packages, addressing [issue #28](#28). ## Coverage Improvements \| Package \| Before \| After \| \|---------\|--------\|-------\| \| `internal/delivery` \| 37.1% \| 74.5% \| \| `internal/middleware` \| 0.0% \| 70.2% \| \| `internal/session` \| 0.0% \| 51.5% \| ## What's Tested ### delivery (37% → 75%) - `processNewTask` with inline and large (DB-fetched) bodies - `processRetryTask` success, skip non-retrying, large body fetch - Worker lifecycle start/stop, retry channel processing - `processDelivery` unknown target type handling - `recoverPendingDeliveries`, `recoverWebhookDeliveries`, `recoverInFlight` - HTTP delivery with custom headers, timeout, invalid config - `Notify` batching ### middleware (0% → 70%) - Logging middleware status code capture and pass-through - `LoggingResponseWriter` delegation - CORS dev mode (allow-all) and prod mode (no-op) - `RequireAuth` redirect for unauthenticated, pass-through for authenticated - `MetricsAuth` basic auth validation - `ipFromHostPort` helper ### session (0% → 52%) - `Get`/`Save` round-trip with real cookie store - `SetUser`, `GetUserID`, `GetUsername`, `IsAuthenticated` - `ClearUser` removes all keys - `Destroy` invalidates session (MaxAge -1) - Session persistence across requests - Edge cases: overwrite user, wrong type, constants ## Test Helpers Added - `database.NewTestDatabase` / `NewTestWebhookDBManager` — cross-package test helpers for delivery integration tests - `session.NewForTest` — creates session manager without fx lifecycle for middleware tests ## Notes - No production code modified - All tests use `httptest`, SQLite in-memory, and real cookie stores — no external network calls - Full test suite completes in ~3.5s within the 30s timeout - `docker build .` passes (lint + test + build) closes #28 Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #32 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>	2026-03-04 12:07:23 +01:00

Author

SHA1

Message

Date

clawbot

0829f9a75d

refactor: replace custom CSRF and rate-limiting with off-the-shelf libraries

check / check (push) Successful in 4s

Details

Replace custom CSRF middleware with gorilla/csrf and custom rate-limiting
middleware with go-chi/httprate, as requested in code review.

CSRF changes:
- Replace session-based CSRF tokens with gorilla/csrf cookie-based
  double-submit pattern (HMAC-authenticated cookies)
- Keep same form field name (csrf_token) for template compatibility
- Keep same route exclusions (webhook/API routes)
- In dev mode, mark requests as plaintext HTTP to skip Referer check

Rate limiting changes:
- Replace custom token-bucket rate limiter with httprate sliding-window
  counter (per-IP, 5 POST requests/min on login endpoint)
- Remove custom IP extraction (httprate.KeyByRealIP handles
  X-Forwarded-For, X-Real-IP, True-Client-IP)
- Remove custom cleanup goroutine (httprate manages its own state)

Kept as-is:
- SSRF prevention code (internal/delivery/ssrf.go) — application-specific
- CSRFToken() wrapper function — handlers unchanged

Updated README security section and architecture overview to reflect
library choices.

2026-03-10 10:05:38 -07:00

clawbot

289f479772

test: add tests for delivery, middleware, and session packages (#32 )

check / check (push) Has been cancelled

Details

## Summary

Add comprehensive test coverage for three previously-untested packages, addressing [issue #28](#28).

## Coverage Improvements

| Package | Before | After |
|---------|--------|-------|
| `internal/delivery` | 37.1% | 74.5% |
| `internal/middleware` | 0.0% | 70.2% |
| `internal/session` | 0.0% | 51.5% |

## What's Tested

### delivery (37% → 75%)
- `processNewTask` with inline and large (DB-fetched) bodies
- `processRetryTask` success, skip non-retrying, large body fetch
- Worker lifecycle start/stop, retry channel processing
- `processDelivery` unknown target type handling
- `recoverPendingDeliveries`, `recoverWebhookDeliveries`, `recoverInFlight`
- HTTP delivery with custom headers, timeout, invalid config
- `Notify` batching

### middleware (0% → 70%)
- Logging middleware status code capture and pass-through
- `LoggingResponseWriter` delegation
- CORS dev mode (allow-all) and prod mode (no-op)
- `RequireAuth` redirect for unauthenticated, pass-through for authenticated
- `MetricsAuth` basic auth validation
- `ipFromHostPort` helper

### session (0% → 52%)
- `Get`/`Save` round-trip with real cookie store
- `SetUser`, `GetUserID`, `GetUsername`, `IsAuthenticated`
- `ClearUser` removes all keys
- `Destroy` invalidates session (MaxAge -1)
- Session persistence across requests
- Edge cases: overwrite user, wrong type, constants

## Test Helpers Added
- `database.NewTestDatabase` / `NewTestWebhookDBManager` — cross-package test helpers for delivery integration tests
- `session.NewForTest` — creates session manager without fx lifecycle for middleware tests

## Notes
- No production code modified
- All tests use `httptest`, SQLite in-memory, and real cookie stores — no external network calls
- Full test suite completes in ~3.5s within the 30s timeout
- `docker build .` passes (lint + test + build)

closes #28

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #32
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

2026-03-04 12:07:23 +01:00

2 Commits