Merge pull request 'webhook: improve UX for sourcehut and matrix' (#3156) from oliverpool/forgejo:webhook_sourcehut_polish into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3156 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2025-09-15 18:56:59 +00:00 · 2024-04-17 06:39:54 +00:00 · 2024-04-17 06:39:54 +00:00 · e4aa7bd511
commit e4aa7bd511
parent ea4071ca9f 94dd22a784
22 changed files with 82 additions and 59 deletions
--- a/services/webhook/deliver.go
+++ b/services/webhook/deliver.go
@ -78,7 +78,13 @@ func Deliver(ctx context.Context, t *webhook_model.HookTask) error {
 	}
 	if authorization != "" {
 		req.Header.Set("Authorization", authorization)
-		t.RequestInfo.Headers["Authorization"] = "******"
+		redacted := "******"
+		if strings.HasPrefix(authorization, "Bearer ") {
+			redacted = "Bearer " + redacted
+		} else if strings.HasPrefix(authorization, "Basic ") {
+			redacted = "Basic " + redacted
+		}
+		t.RequestInfo.Headers["Authorization"] = redacted
 	}

 	t.ResponseInfo = &webhook_model.HookResponse{
--- a/services/webhook/deliver_test.go
+++ b/services/webhook/deliver_test.go
@ -132,7 +132,7 @@ func TestWebhookDeliverAuthorizationHeader(t *testing.T) {
 	}

 	assert.True(t, hookTask.IsSucceed)
-	assert.Equal(t, "******", hookTask.RequestInfo.Headers["Authorization"])
+	assert.Equal(t, "Bearer ******", hookTask.RequestInfo.Headers["Authorization"])
 }

 func TestWebhookDeliverHookTask(t *testing.T) {
@ -152,7 +152,6 @@ func TestWebhookDeliverHookTask(t *testing.T) {

 		case "/webhook/6db5dc1e282529a8c162c7fe93dd2667494eeb51":
 			// Version 2
-			assert.Equal(t, "push", r.Header.Get("X-GitHub-Event"))
 			assert.Equal(t, "application/json", r.Header.Get("Content-Type"))
 			body, err := io.ReadAll(r.Body)
 			assert.NoError(t, err)
--- a/services/webhook/matrix.go
+++ b/services/webhook/matrix.go
@ -42,16 +42,15 @@ func (matrixHandler) UnmarshalForm(bind func(any)) forms.WebhookForm {
 		HomeserverURL string `binding:"Required;ValidUrl"`
 		RoomID        string `binding:"Required"`
 		MessageType   int
-
-		// enforce requirement of authorization_header
-		// (value will still be set in the embedded WebhookCoreForm)
-		AuthorizationHeader string `binding:"Required"`
+		AccessToken   string `binding:"Required"`
 	}
 	bind(&form)
+	form.AuthorizationHeader = "Bearer " + strings.TrimSpace(form.AccessToken)

+	// https://spec.matrix.org/v1.10/client-server-api/#sending-events-to-a-room
 	return forms.WebhookForm{
 		WebhookCoreForm: form.WebhookCoreForm,
-		URL:             fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message", form.HomeserverURL, url.PathEscape(form.RoomID)),
+		URL:             fmt.Sprintf("%s/_matrix/client/v3/rooms/%s/send/m.room.message", form.HomeserverURL, url.PathEscape(form.RoomID)),
 		ContentType:     webhook_model.ContentTypeJSON,
 		Secret:          "",
 		HTTPMethod:      http.MethodPut,
@ -91,7 +90,7 @@ func (matrixHandler) NewRequest(ctx context.Context, w *webhook_model.Webhook, t
 	}
 	req.Header.Set("Content-Type", "application/json")

-	return req, body, shared.AddDefaultHeaders(req, []byte(w.Secret), t, body) // likely useless, but has always been sent historially
+	return req, body, nil
 }

 const matrixPayloadSizeLimit = 1024 * 64
--- a/services/webhook/matrix_test.go
+++ b/services/webhook/matrix_test.go
@ -201,7 +201,7 @@ func TestMatrixJSONPayload(t *testing.T) {
 		RepoID:   3,
 		IsActive: true,
 		Type:     webhook_module.MATRIX,
-		URL:      "https://matrix.example.com/_matrix/client/r0/rooms/ROOM_ID/send/m.room.message",
+		URL:      "https://matrix.example.com/_matrix/client/v3/rooms/ROOM_ID/send/m.room.message",
 		Meta:     `{"message_type":0}`, // text
 	}
 	task := &webhook_model.HookTask{
@ -217,8 +217,7 @@ func TestMatrixJSONPayload(t *testing.T) {
 	require.NoError(t, err)

 	assert.Equal(t, "PUT", req.Method)
-	assert.Equal(t, "/_matrix/client/r0/rooms/ROOM_ID/send/m.room.message/6db5dc1e282529a8c162c7fe93dd2667494eeb51", req.URL.Path)
-	assert.Equal(t, "sha256=", req.Header.Get("X-Hub-Signature-256"))
+	assert.Equal(t, "/_matrix/client/v3/rooms/ROOM_ID/send/m.room.message/6db5dc1e282529a8c162c7fe93dd2667494eeb51", req.URL.Path)
 	assert.Equal(t, "application/json", req.Header.Get("Content-Type"))
 	var body MatrixPayload
 	err = json.NewDecoder(req.Body).Decode(&body)
--- a/services/webhook/sourcehut/builds.go
+++ b/services/webhook/sourcehut/builds.go
@ -49,6 +49,7 @@ type buildsForm struct {
 	ManifestPath string `binding:"Required"`
 	Visibility   string `binding:"Required;In(PUBLIC,UNLISTED,PRIVATE)"`
 	Secrets      bool
+	AccessToken  string `binding:"Required"`
 }

 var _ binding.Validator = &buildsForm{}
@ -63,13 +64,7 @@ func (f *buildsForm) Validate(req *http.Request, errs binding.Errors) binding.Er
 			Message:        ctx.Locale.TrString("repo.settings.add_webhook.invalid_path"),
 		})
 	}
-	if !strings.HasPrefix(f.AuthorizationHeader, "Bearer ") {
-		errs = append(errs, binding.Error{
-			FieldNames:     []string{"AuthorizationHeader"},
-			Classification: "",
-			Message:        ctx.Locale.TrString("form.required_prefix", "Bearer "),
-		})
-	}
+	f.AuthorizationHeader = "Bearer " + strings.TrimSpace(f.AccessToken)
 	return errs
 }