@@ -13,6 +13,7 @@ import ( |
| 13 | 13 | "github.com/jackc/pgx/v5/pgxpool" |
| 14 | 14 | |
| 15 | 15 | "github.com/tenseleyFlow/shithub/internal/auth/audit" |
| 16 | + "github.com/tenseleyFlow/shithub/internal/auth/secretbox" |
| 16 | 17 | "github.com/tenseleyFlow/shithub/internal/auth/throttle" |
| 17 | 18 | "github.com/tenseleyFlow/shithub/internal/infra/config" |
| 18 | 19 | "github.com/tenseleyFlow/shithub/internal/infra/storage" |
@@ -55,6 +56,20 @@ func buildRepoHandlers( |
| 55 | 56 | } |
| 56 | 57 | } |
| 57 | 58 | |
| 59 | + // Webhook secret box (S33). Reuses the TOTP key — they're both |
| 60 | + // at-rest AEAD-wrapped secrets. nil-tolerant: if the key is |
| 61 | + // missing/invalid the webhook surface renders a placeholder. |
| 62 | + var hookBox *secretbox.Box |
| 63 | + if cfg.Auth.TOTPKeyB64 != "" { |
| 64 | + if box, err := secretbox.FromBase64(cfg.Auth.TOTPKeyB64); err == nil { |
| 65 | + hookBox = box |
| 66 | + } else if logger != nil { |
| 67 | + logger.Warn("repo: webhook secretbox unavailable", |
| 68 | + "hint", "set Auth.TOTPKeyB64 to a base64 32-byte key", |
| 69 | + "error", err) |
| 70 | + } |
| 71 | + } |
| 72 | + |
| 58 | 73 | return repoh.New(repoh.Deps{ |
| 59 | 74 | Logger: logger, |
| 60 | 75 | Render: rr, |
@@ -62,6 +77,7 @@ func buildRepoHandlers( |
| 62 | 77 | RepoFS: rfs, |
| 63 | 78 | Audit: audit.NewRecorder(), |
| 64 | 79 | Limiter: throttle.NewLimiter(), |
| 80 | + SecretBox: hookBox, |
| 65 | 81 | ShithubdPath: shithubdPath, |
| 66 | 82 | CloneURLs: repoh.CloneURLs{ |
| 67 | 83 | BaseURL: cfg.Auth.BaseURL, |
