yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a30c82c6de4541b02829d10046fc5b9db96d366
openclaw-mission-control/backend/migrations/versions/a1b2c3d4e5f6_add_webhook_secret.py
Hugh Brown 4d1dbb4098 security: add HMAC signature verification to webhook ingest 
Webhook ingest endpoint was completely unauthenticated. Add an optional
`secret` field to BoardWebhook. When configured, inbound requests must
include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or
X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety.
Includes migration to add the secret column.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:35:10 +05:30

40 lines
1.0 KiB
Python
Raw Blame History

"""Add optional secret column to board_webhooks for HMAC signature verification.
Revision ID: a1b2c3d4e5f6
Revises: fa6e83f8d9a1
Create Date: 2026-03-03 00:00:00.000000
"""
from __future__ import annotations
import sqlalchemy as sa
from alembic import op
# revision identifiers, used by Alembic.
revision = "a1b2c3d4e5f6"
down_revision = "f1b2c3d4e5a6"
branch_labels = None
depends_on = None
def upgrade() -> None:
"""Add secret column to board_webhooks table."""
bind = op.get_bind()
inspector = sa.inspect(bind)
columns = {c["name"] for c in inspector.get_columns("board_webhooks")}
if "secret" not in columns:
op.add_column(
"board_webhooks",
sa.Column("secret", sa.String(), nullable=True),
)
def downgrade() -> None:
"""Remove secret column from board_webhooks table."""
bind = op.get_bind()
inspector = sa.inspect(bind)
columns = {c["name"] for c in inspector.get_columns("board_webhooks")}
if "secret" in columns:
op.drop_column("board_webhooks", "secret")
Reference in New Issue View Git Blame Copy Permalink