Not all webhook providers use X-Hub-Signature-256 or X-Webhook-Signature.
Add an optional signature_header field so users can specify which header
carries the HMAC signature. When set, that exact header is checked;
when unset, the existing auto-detect fallback is preserved. The custom
header is also excluded from stored/exposed payload headers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The previous field_validator approach passed `cls` as the first argument
to `_normalize_secret`, which only accepted `v`, causing a TypeError at
runtime. Switch to `Annotated[str | None, BeforeValidator(...)]` which
calls the function with just the value and also eliminates the repeated
validator assignment in both schema classes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move blank/whitespace-only secret normalization to a shared
field_validator on both BoardWebhookCreate and BoardWebhookUpdate.
This ensures consistent behavior across create and update paths
and removes the inline normalization from the endpoint handlers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The has_token boolean redaction requires coordinated frontend changes
(detail page, edit page, orval types). Revert to returning the raw
token for now; token redaction will be handled in a dedicated PR.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Gateway tokens were returned as plaintext in GatewayRead API responses.
Replace the `token` field with a boolean `has_token` flag so the API
never exposes the plaintext token. The token remains in the database
for outbound gateway connections (full encryption would require key
management infrastructure).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Webhook ingest endpoint was completely unauthenticated. Add an optional
`secret` field to BoardWebhook. When configured, inbound requests must
include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or
X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety.
Includes migration to add the secret column.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Added allow_insecure_tls boolean field to Gateway model and schemas
- Created database migration for the new field
- Updated GatewayConfig to include allow_insecure_tls parameter
- Modified openclaw_call to create SSL context that disables verification when allow_insecure_tls is true
- Updated all GatewayConfig instantiations throughout the backend
- Added checkbox to frontend gateway form (create and edit pages)
- Updated API endpoints to handle the new field
Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
