tenseleyflow/shithub / 7f3aed3

+	"github.com/jackc/pgx/v5"

+	"github.com/tenseleyFlow/shithub/internal/repos/sigverify"

+	SHA          string               `json:"sha"`

+	ShortSHA     string               `json:"short_sha"`

+	Subject      string               `json:"subject"`

+	Author       commitAuthor         `json:"author"`

+	Body         string               `json:"body,omitempty"`

+	Verification verificationResponse `json:"verification"`

+}

+

+// verificationResponse mirrors gh's documented commit verification

+// object. Empty/never-verified commits emit the same shape gh uses

+// for unsigned commits:

+//

+//	{verified: false, reason: "unsigned", signature: null, payload: null, verified_at: null}

+//

+// `payload` is the bytes the signature was computed over (commit

+// object body minus the gpgsig header). Surfaced as a string in gh's

+// JSON; we follow suit. nil bytes → JSON null via the pointer trick.

+type verificationResponse struct {

+	Verified   bool    `json:"verified"`

+	Reason     string  `json:"reason"`

+	Signature  *string `json:"signature"`

+	Payload    *string `json:"payload"`

+	VerifiedAt *string `json:"verified_at"`

+}

+

+func presentVerification(v sigverify.View) verificationResponse {

+	resp := verificationResponse{

+		Verified: v.Verified,

+		Reason:   string(v.Reason),

+	}

+	if v.Signature != "" {

+		s := v.Signature

+		resp.Signature = &s

+	}

+	if len(v.Payload) > 0 {

+		s := string(v.Payload)

+		resp.Payload = &s

+	}

+	if v.VerifiedAt != nil {

+		s := v.VerifiedAt.UTC().Format(time.RFC3339)

+		resp.VerifiedAt = &s

+	}

+	return resp

+func presentCommit(c git.Commit, v sigverify.View) commitListItem {

+		Verification: presentVerification(v),

+

+	// Batch-load verification cache rows for the page's OIDs. Failure

+	// here is non-fatal — we fall back to UnsignedView per row so the

+	// payload still renders, just without verification metadata.

+	oids := make([]string, len(commits))

+	for i, c := range commits {

+		oids[i] = c.OID

+	}

+	verifications, err := sigverify.LoadViewsForOIDs(r.Context(), h.d.Pool, repo.ID, oids)

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "api: load verifications", "error", err, "repo_id", repo.ID)

+		verifications = map[string]sigverify.View{}

+	}

+

+		out = append(out, presentCommit(c, sigverify.LookupView(verifications, c.OID)))

+	view, vErr := sigverify.LoadView(r.Context(), h.d.Pool, repo.ID, cd.OID)

+	if vErr != nil && !errors.Is(vErr, pgx.ErrNoRows) {

+		h.d.Logger.WarnContext(r.Context(), "api: load verification", "error", vErr, "repo_id", repo.ID, "oid", cd.OID)

+		view = sigverify.UnsignedView()

+	}

+

+		commitListItem: presentCommit(cd.Commit, view),

+	SHA          string                `json:"sha"`

+	ShortSHA     string                `json:"short_sha"`

+	Subject      string                `json:"subject"`

+	Body         string                `json:"body"`

+	Author       apiCommitAuthor       `json:"author"`

+	Verification apiCommitVerification `json:"verification"`

+}

+

+type apiCommitVerification struct {

+	Verified   bool    `json:"verified"`

+	Reason     string  `json:"reason"`

+	Signature  *string `json:"signature"`

+	Payload    *string `json:"payload"`

+	VerifiedAt *string `json:"verified_at"`

+

+// TestCommits_VerificationDefaultsUnsigned ensures every commit's

+// JSON carries the verification object even when no cache row

+// exists. gh emits `{verified: false, reason: "unsigned", signature:

+// null, payload: null, verified_at: null}` for commits with no

+// signature; we match that exactly.

+func TestCommits_VerificationDefaultsUnsigned(t *testing.T) {

+	router, token, headSHA := commitsEnv(t)

+

+	req := httptest.NewRequest(http.MethodGet, "/api/v1/repos/alice/demo/commits", nil)

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusOK {

+		t.Fatalf("list: %d %s", rr.Code, rr.Body.String())

+	}

+	var listed []apiCommit

+	if err := json.Unmarshal(rr.Body.Bytes(), &listed); err != nil {

+		t.Fatalf("decode: %v", err)

+	}

+	if len(listed) != 1 {

+		t.Fatalf("len: got %d, want 1", len(listed))

+	}

+	if listed[0].SHA != headSHA {

+		t.Errorf("sha: got %q, want %q", listed[0].SHA, headSHA)

+	}

+	if listed[0].Verification.Reason != "unsigned" {

+		t.Errorf("reason: got %q, want unsigned", listed[0].Verification.Reason)

+	}

+	if listed[0].Verification.Verified {

+		t.Error("expected Verified=false on an unsigned commit")

+	}

+	if listed[0].Verification.Signature != nil {

+		t.Error("expected Signature=null on an unsigned commit")

+	}

+	if listed[0].Verification.Payload != nil {

+		t.Error("expected Payload=null on an unsigned commit")

+	}

+

+	// Single-commit GET surfaces the same object shape.

+	req = httptest.NewRequest(http.MethodGet, "/api/v1/repos/alice/demo/commits/"+headSHA, nil)

+	req.Header.Set("Authorization", "Bearer "+token)

+	rr = httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusOK {

+		t.Fatalf("get: %d %s", rr.Code, rr.Body.String())

+	}

+	var single apiCommit

+	if err := json.Unmarshal(rr.Body.Bytes(), &single); err != nil {

+		t.Fatalf("decode get: %v", err)

+	}

+	if single.Verification.Reason != "unsigned" {

+		t.Errorf("get reason: got %q, want unsigned", single.Verification.Reason)

+	}

+}