Built in auth plugin docs and auth hmac improvements #30
Conversation
…ts for various timestamp formats
|
@copilot the |
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the built-in HMAC authentication plugin with full ISO 8601 and Unix timestamp parsing/validation, updates acceptance tests and environment secrets, and adds documentation for built-in and custom auth plugins.
- Added comprehensive unit tests for ISO 8601 and Unix timestamp handling in HMAC validation
- Extended
HMACplugin to parse/validate ISO 8601 UTC timestamps, emit warnings on failures, and normalize headers - Updated acceptance tests, Docker Compose secrets, and docs (
configuration.md&auth_plugins.md) to reflect new timestamp-aware HMAC behavior
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| spec/unit/lib/hooks/plugins/auth/hmac_spec.rb | New tests for ISO 8601 and Unix timestamp validation edge cases |
| lib/hooks/plugins/auth/hmac.rb | Grafted timestamp parsing/validation methods into HMAC plugin |
| spec/acceptance/docker-compose.yml | Updated ALT_WEBHOOK_SECRET value |
| spec/acceptance/acceptance_tests.rb | Acceptance tests updated to include timestamps and new signatures |
| lib/hooks/app/auth/auth.rb | Added warning log on auth failure |
| docs/configuration.md | Linked to new auth plugin documentation |
| docs/auth_plugins.md | New comprehensive guide on built-in and custom auth plugins |
Comments suppressed due to low confidence (1)
spec/acceptance/acceptance_tests.rb:120
- The acceptance tests use
FAKE_ALT_HMAC_SECRET, but indocker-compose.ymltheALT_WEBHOOK_SECRETwas changed to "octoawesome-2-secret". Ensure theFAKE_ALT_HMAC_SECRETconstant matches the updated environment value.
it "successfully processes a valid POST request with HMAC signature and timestamp" do
| return ts if ts | ||
| ts = parse_unix_timestamp(timestamp_value) | ||
| return ts if ts |
There was a problem hiding this comment.
Currently parse_timestamp returns a Time object, but the specs expect an integer. Consider returning ts.to_i so that parse_timestamp yields an Integer rather than a Time.
| return ts if ts | |
| ts = parse_unix_timestamp(timestamp_value) | |
| return ts if ts | |
| return ts.to_i if ts | |
| ts = parse_unix_timestamp(timestamp_value) | |
| return ts.to_i if ts |
| # @return [Boolean] true if it appears to be Unix timestamp format | ||
| # @api private | ||
| def self.unix_timestamp?(timestamp_value) | ||
| !!(timestamp_value =~ /\A\d+\z/) || timestamp_value == "0" |
There was a problem hiding this comment.
The regex for unix_timestamp? allows leading zeros (e.g., "0123"), but the test expects those to be invalid. Update the pattern to /\A(?:[1-9]\d*|0)\z/ to reject leading zeros except for exactly "0".
| !!(timestamp_value =~ /\A\d+\z/) || timestamp_value == "0" | |
| !!(timestamp_value =~ /\A(?:[1-9]\d*|0)\z/) |
No description provided.