**feat(webhook):** add WEBHOOK_SECRET for token authentication support
All checks were successful
CI / build-test (push) Successful in 1m28s
All checks were successful
CI / build-test (push) Successful in 1m28s
- Protect `/webhook` endpoint using the `Authorization` header - Update `README.md` with setup instructions and examples for authentication - Warn when `WEBHOOK_SECRET` is not configured - Add tests for valid, missing, and invalid token scenarios - Update `docker-compose.yml` to support `WEBHOOK_SECRET` configuration
This commit is contained in:
@@ -76,6 +76,67 @@ func TestWebhookHandler(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebhookHandler_Unauthorized(t *testing.T) {
|
||||
diun.UpdatesReset()
|
||||
diun.SetWebhookSecret("my-secret")
|
||||
defer diun.ResetWebhookSecret()
|
||||
|
||||
event := diun.DiunEvent{Image: "nginx:latest"}
|
||||
body, _ := json.Marshal(event)
|
||||
req := httptest.NewRequest(http.MethodPost, "/webhook", bytes.NewReader(body))
|
||||
rec := httptest.NewRecorder()
|
||||
diun.WebhookHandler(rec, req)
|
||||
if rec.Code != http.StatusUnauthorized {
|
||||
t.Errorf("expected 401, got %d", rec.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebhookHandler_WrongToken(t *testing.T) {
|
||||
diun.UpdatesReset()
|
||||
diun.SetWebhookSecret("my-secret")
|
||||
defer diun.ResetWebhookSecret()
|
||||
|
||||
event := diun.DiunEvent{Image: "nginx:latest"}
|
||||
body, _ := json.Marshal(event)
|
||||
req := httptest.NewRequest(http.MethodPost, "/webhook", bytes.NewReader(body))
|
||||
req.Header.Set("Authorization", "wrong-token")
|
||||
rec := httptest.NewRecorder()
|
||||
diun.WebhookHandler(rec, req)
|
||||
if rec.Code != http.StatusUnauthorized {
|
||||
t.Errorf("expected 401, got %d", rec.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebhookHandler_ValidToken(t *testing.T) {
|
||||
diun.UpdatesReset()
|
||||
diun.SetWebhookSecret("my-secret")
|
||||
defer diun.ResetWebhookSecret()
|
||||
|
||||
event := diun.DiunEvent{Image: "nginx:latest"}
|
||||
body, _ := json.Marshal(event)
|
||||
req := httptest.NewRequest(http.MethodPost, "/webhook", bytes.NewReader(body))
|
||||
req.Header.Set("Authorization", "my-secret")
|
||||
rec := httptest.NewRecorder()
|
||||
diun.WebhookHandler(rec, req)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Errorf("expected 200, got %d", rec.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebhookHandler_NoSecretConfigured(t *testing.T) {
|
||||
diun.UpdatesReset()
|
||||
diun.ResetWebhookSecret()
|
||||
|
||||
event := diun.DiunEvent{Image: "nginx:latest"}
|
||||
body, _ := json.Marshal(event)
|
||||
req := httptest.NewRequest(http.MethodPost, "/webhook", bytes.NewReader(body))
|
||||
rec := httptest.NewRecorder()
|
||||
diun.WebhookHandler(rec, req)
|
||||
if rec.Code != http.StatusOK {
|
||||
t.Errorf("expected 200 (no secret configured), got %d", rec.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebhookHandler_BadRequest(t *testing.T) {
|
||||
req := httptest.NewRequest(http.MethodPost, "/webhook", bytes.NewReader([]byte("not-json")))
|
||||
rec := httptest.NewRecorder()
|
||||
|
||||
Reference in New Issue
Block a user