yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
91e827036405653f4d0279764278a25b2d8f624b
openclaw-mission-control/backend/app/schemas/board_webhooks.py
Hugh Brown 4d1dbb4098 security: add HMAC signature verification to webhook ingest 
Webhook ingest endpoint was completely unauthenticated. Add an optional
`secret` field to BoardWebhook. When configured, inbound requests must
include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or
X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety.
Includes migration to add the secret column.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:35:10 +05:30

68 lines
1.6 KiB
Python
Raw Blame History

"""Schemas for board webhook configuration and payload capture endpoints."""
from __future__ import annotations
from datetime import datetime
from uuid import UUID
from sqlmodel import SQLModel
from app.schemas.common import NonEmptyStr
RUNTIME_ANNOTATION_TYPES = (datetime, UUID, NonEmptyStr)
class BoardWebhookCreate(SQLModel):
"""Payload for creating a board webhook."""
description: NonEmptyStr
enabled: bool = True
agent_id: UUID | None = None
secret: str | None = None
class BoardWebhookUpdate(SQLModel):
"""Payload for updating a board webhook."""
description: NonEmptyStr | None = None
enabled: bool | None = None
agent_id: UUID | None = None
secret: str | None = None
class BoardWebhookRead(SQLModel):
"""Serialized board webhook configuration."""
id: UUID
board_id: UUID
agent_id: UUID | None = None
description: str
enabled: bool
has_secret: bool = False
endpoint_path: str
endpoint_url: str | None = None
created_at: datetime
updated_at: datetime
class BoardWebhookPayloadRead(SQLModel):
"""Serialized stored webhook payload."""
id: UUID
board_id: UUID
webhook_id: UUID
payload: dict[str, object] | list[object] | str | int | float | bool | None = None
headers: dict[str, str] | None = None
source_ip: str | None = None
content_type: str | None = None
received_at: datetime
class BoardWebhookIngestResponse(SQLModel):
"""Response payload for inbound webhook ingestion."""
ok: bool = True
board_id: UUID
webhook_id: UUID
payload_id: UUID
Reference in New Issue View Git Blame Copy Permalink