cottongin/owncast-IRC-bridge
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add webhook auth guard and IRC password/username support

Browse Source 
Add WEBHOOK_SECRET env var for authenticating incoming Owncast webhooks
via a ?secret= query parameter. Requests with a missing or incorrect
secret are rejected with 401. If unset, all requests are accepted
(with a startup warning).

Also includes previously uncommitted work:
- IRC server password support (IRC_PASSWORD env var, PASS command)
- IRC username/ident field in config
- IRC_PASSWORD and SELinux volume flag in docker-compose.yml

Made-with: Cursor
This commit is contained in:
cottongin
2026-03-13 00:53:59 -04:00
parent 1af9bd1def
commit 78fec2946c
11 changed files with 212 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
chat-summaries/2026-03-13_12-00-summary.md Normal file
View File

@@ -0,0 +1,40 @@
# Webhook Authentication Guard
**Date:** 2026-03-13
## Task
Add a shared secret (`WEBHOOK_SECRET`) to the webhook endpoint so only requests with a matching `?secret=` query parameter are accepted. This prevents unauthorized parties from injecting events into the bridge.
## Changes Made
### `src/config.rs`
- Added `webhook_secret()` static method to `BridgeConfig` — reads `WEBHOOK_SECRET` env var, returns `Option<String>`.
### `src/webhook.rs`
- Added `WebhookQuery` struct for axum query parameter extraction.
- Added `secret: Option<String>` field to `WebhookState`.
- Updated `handle_webhook` to validate the secret before processing: returns 401 if configured secret doesn't match.
- Updated `run_webhook_server` signature to accept `secret: Option<String>`; logs a warning at startup if unset.
- Added 4 integration tests using `tower::ServiceExt::oneshot`: correct secret (200), wrong secret (401), missing secret (401), no secret configured (200).
### `src/main.rs`
- Reads `WEBHOOK_SECRET` via `config::BridgeConfig::webhook_secret()`.
- Passes the secret to `webhook::run_webhook_server()`.
### `docker-compose.yml`
- Added `WEBHOOK_SECRET=${WEBHOOK_SECRET}` to environment section.
### `config.example.toml`
- Added comment documenting the `WEBHOOK_SECRET` env var.
### `README.md`
- Updated webhook URL example to include `?secret=` parameter.
- Added environment variables table documenting all three secrets.
### `Cargo.toml`
- Added `tower` (0.5, `util` feature) as dev dependency for handler tests.
## Follow-up Items
- None. All 65 tests pass.