78fec2946c
Add WEBHOOK_SECRET env var for authenticating incoming Owncast webhooks via a ?secret= query parameter. Requests with a missing or incorrect secret are rejected with 401. If unset, all requests are accepted (with a startup warning). Also includes previously uncommitted work: - IRC server password support (IRC_PASSWORD env var, PASS command) - IRC username/ident field in config - IRC_PASSWORD and SELinux volume flag in docker-compose.yml Made-with: Cursor
1.5 KiB
1.5 KiB
Webhook Authentication Guard
Date: 2026-03-13
Task
Add a shared secret (WEBHOOK_SECRET) to the webhook endpoint so only requests with a matching ?secret= query parameter are accepted. This prevents unauthorized parties from injecting events into the bridge.
Changes Made
src/config.rs
- Added
webhook_secret()static method toBridgeConfig— readsWEBHOOK_SECRETenv var, returnsOption<String>.
src/webhook.rs
- Added
WebhookQuerystruct for axum query parameter extraction. - Added
secret: Option<String>field toWebhookState. - Updated
handle_webhookto validate the secret before processing: returns 401 if configured secret doesn't match. - Updated
run_webhook_serversignature to acceptsecret: Option<String>; logs a warning at startup if unset. - Added 4 integration tests using
tower::ServiceExt::oneshot: correct secret (200), wrong secret (401), missing secret (401), no secret configured (200).
src/main.rs
- Reads
WEBHOOK_SECRETviaconfig::BridgeConfig::webhook_secret(). - Passes the secret to
webhook::run_webhook_server().
docker-compose.yml
- Added
WEBHOOK_SECRET=${WEBHOOK_SECRET}to environment section.
config.example.toml
- Added comment documenting the
WEBHOOK_SECRETenv var.
README.md
- Updated webhook URL example to include
?secret=parameter. - Added environment variables table documenting all three secrets.
Cargo.toml
- Added
tower(0.5,utilfeature) as dev dependency for handler tests.
Follow-up Items
- None. All 65 tests pass.