Class: CollavreLinear::WebhooksController
- Inherits:
-
ActionController::API
- Object
- ActionController::API
- CollavreLinear::WebhooksController
- Defined in:
- app/controllers/collavre_linear/webhooks_controller.rb
Overview
Receives inbound webhooks from Linear.
Security pipeline (all BEFORE enqueueing any work):
1. Verify `Linear-Signature` = HMAC-SHA256(webhook_secret, raw_body) with
a constant-time compare. Bad/missing signature -> 401.
2. Verify `webhookTimestamp` (ms epoch) is within +/- 60s of now to reject
replayed/stale deliveries. Out-of-window -> 401.
3. Drop our own events (EchoGuard) to avoid sync loops. Echo -> 200 ack,
but nothing enqueued.
Machine-to-machine endpoint authenticated by the HMAC signature below, not a user session. Inherits ActionController::API, which carries no CSRF middleware — so there is nothing to skip, and no session cookie to forge.
Constant Summary collapse
- TIMESTAMP_WINDOW_MS =
60_000
Instance Method Summary collapse
Instance Method Details
#create ⇒ Object
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# File 'app/controllers/collavre_linear/webhooks_controller.rb', line 20 def create raw_body = request.raw_post.presence || request.body.read payload = JSON.parse(raw_body) link = find_project_link(payload) # Resolve the secret at the TEAM level, not off the matched row's own # column. find_project_link can return a specific row (project/issue/comment # branches) that committed blank in the paste race even though a sibling # holds the team's secret — verifying against the team's non-blank secret # keeps those deliveries from a spurious 401. secret = link && CollavreLinear::ProjectLink.team_webhook_secret(link.team_id) return head :unauthorized unless valid_signature?(raw_body, secret) return head :unauthorized unless (payload) # Signature only proves the sender holds the signing link's per-TEAM secret. # InboundApplier routes by the payload's own id/projectId, so a payload # signed with team A's secret but naming team B's project/issue would let a # user who can see A's (UI-visible) secret forge writes into B. Require every # other identifier to resolve to the SAME team before enqueueing. return head :unauthorized unless payload_identifiers_consistent?(payload, link) account = resolve_account(link) if account && CollavreLinear::EchoGuard.our_event?(account, payload) # Our own actor bounced back — ack so Linear stops retrying, but do not # re-apply our own change. return head :ok end # Enqueue on the sequential linear_inbound queue (single-thread worker) so # verified events apply strictly in receipt order — a comment that arrives # after its issue's create must also be APPLIED after it. CollavreLinear::InboundApplyJob.perform_later(payload) head :ok rescue JSON::ParserError head :bad_request end |