Class: CollavreLinear::WebhooksController

Inherits:
ActionController::API
  • Object
show all
Defined in:
app/controllers/collavre_linear/webhooks_controller.rb

Overview

Receives inbound webhooks from Linear.

Security pipeline (all BEFORE enqueueing any work):

1. Verify `Linear-Signature` = HMAC-SHA256(webhook_secret, raw_body) with
 a constant-time compare. Bad/missing signature -> 401.
2. Verify `webhookTimestamp` (ms epoch) is within +/- 60s of now to reject
 replayed/stale deliveries. Out-of-window -> 401.
3. Drop our own events (EchoGuard) to avoid sync loops. Echo -> 200 ack,
 but nothing enqueued.

Machine-to-machine endpoint authenticated by the HMAC signature below, not a user session. Inherits ActionController::API, which carries no CSRF middleware — so there is nothing to skip, and no session cookie to forge.

Constant Summary collapse

TIMESTAMP_WINDOW_MS =
60_000

Instance Method Summary collapse

Instance Method Details

#createObject



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# File 'app/controllers/collavre_linear/webhooks_controller.rb', line 20

def create
  raw_body = request.raw_post.presence || request.body.read
  payload  = JSON.parse(raw_body)

  link    = find_project_link(payload)
  # Resolve the secret at the TEAM level, not off the matched row's own
  # column. find_project_link can return a specific row (project/issue/comment
  # branches) that committed blank in the paste race even though a sibling
  # holds the team's secret — verifying against the team's non-blank secret
  # keeps those deliveries from a spurious 401.
  secret  = link && CollavreLinear::ProjectLink.team_webhook_secret(link.team_id)

  return head :unauthorized unless valid_signature?(raw_body, secret)
  return head :unauthorized unless fresh_timestamp?(payload)
  # Signature only proves the sender holds the signing link's per-TEAM secret.
  # InboundApplier routes by the payload's own id/projectId, so a payload
  # signed with team A's secret but naming team B's project/issue would let a
  # user who can see A's (UI-visible) secret forge writes into B. Require every
  # other identifier to resolve to the SAME team before enqueueing.
  return head :unauthorized unless payload_identifiers_consistent?(payload, link)

   = (link)
  if  && CollavreLinear::EchoGuard.our_event?(, payload)
    # Our own actor bounced back — ack so Linear stops retrying, but do not
    # re-apply our own change.
    return head :ok
  end

  # Enqueue on the sequential linear_inbound queue (single-thread worker) so
  # verified events apply strictly in receipt order — a comment that arrives
  # after its issue's create must also be APPLIED after it.
  CollavreLinear::InboundApplyJob.perform_later(payload)
  head :ok
rescue JSON::ParserError
  head :bad_request
end