Use Authorization header instead of url parameter

modules/webhook/deliver.go

@@ -73,6 +73,13 @@ func Deliver(t *models.HookTask) error {
  return fmt.Errorf("Invalid http method for webhook: [%d] %v", t.ID, t.HTTPMethod)
  }
 
+ if t.Type == models.MATRIX {
+ req, err = getMatrixHookRequest(t)
+ if err != nil {
+ return err
+ }
+ }
+
  req.Header.Add("X-Gitea-Delivery", t.UUID)
  req.Header.Add("X-Gitea-Event", t.EventType.Event())
  req.Header.Add("X-Gitea-Signature", t.Signature)

modules/webhook/matrix.go

@@ -9,6 +9,7 @@ import (
  "errors"
  "fmt"
  "html"
+ "net/http"
  "regexp"
  "strings"
 
@@ -41,19 +42,35 @@ func GetMatrixHook(w *models.Webhook) *MatrixMeta {
  return s
 }
 
-// MatrixPayload contains the information about the Matrix room
-type MatrixPayload struct {
+// MatrixPayloadUnsafe contains the (unsafe) payload for a Matrix room
+type MatrixPayloadUnsafe struct {
+ MatrixPayloadSafe
+ AccessToken string `json:"access_token"`
+}
+
+// safePayload "converts" a unsafe payload to a safe payload
+func (p *MatrixPayloadUnsafe) safePayload() *MatrixPayloadSafe {
+ return &MatrixPayloadSafe{
+ Body: p.Body,
+ MsgType: p.MsgType,
+ Format: p.Format,
+ FormattedBody: p.FormattedBody,
+ }
+}
+
+// MatrixPayloadSafe contains (safe) payload for a Matrix room
+type MatrixPayloadSafe struct {
  Body string `json:"body"`
  MsgType string `json:"msgtype"`
  Format string `json:"format"`
  FormattedBody string `json:"formatted_body"`
 }
 
 // SetSecret sets the Matrix secret
-func (p *MatrixPayload) SetSecret(_ string) {}
+func (p *MatrixPayloadUnsafe) SetSecret(_ string) {}
 
-// JSONPayload Marshals the MatrixPayload to json
-func (p *MatrixPayload) JSONPayload() ([]byte, error) {
+// JSONPayload Marshals the MatrixPayloadUnsafe to json
+func (p *MatrixPayloadUnsafe) JSONPayload() ([]byte, error) {
  data, err := json.MarshalIndent(p, "", " ")
  if err != nil {
  return []byte{}, err
@@ -79,81 +96,51 @@ func MatrixLinkToRef(repoURL, ref string) string {
  }
 }
 
-func getMatrixCreatePayload(p *api.CreatePayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixCreatePayload(p *api.CreatePayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  repoLink := MatrixLinkFormatter(p.Repo.HTMLURL, p.Repo.FullName)
  refLink := MatrixLinkToRef(p.Repo.HTMLURL, p.Ref)
  text := fmt.Sprintf("[%s:%s] %s created by %s", repoLink, refLink, p.RefType, p.Sender.UserName)
 
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
 // getMatrixDeletePayload composes Matrix payload for delete a branch or tag.
-func getMatrixDeletePayload(p *api.DeletePayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixDeletePayload(p *api.DeletePayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  refName := git.RefEndName(p.Ref)
  repoLink := MatrixLinkFormatter(p.Repo.HTMLURL, p.Repo.FullName)
  text := fmt.Sprintf("[%s:%s] %s deleted by %s", repoLink, refName, p.RefType, p.Sender.UserName)
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
 // getMatrixForkPayload composes Matrix payload for forked by a repository.
-func getMatrixForkPayload(p *api.ForkPayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixForkPayload(p *api.ForkPayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  baseLink := MatrixLinkFormatter(p.Forkee.HTMLURL, p.Forkee.FullName)
  forkLink := MatrixLinkFormatter(p.Repo.HTMLURL, p.Repo.FullName)
  text := fmt.Sprintf("%s is forked to %s", baseLink, forkLink)
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-func getMatrixIssuesPayload(p *api.IssuePayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixIssuesPayload(p *api.IssuePayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  text, _, _, _ := getIssuesPayloadInfo(p, MatrixLinkFormatter, true)
 
- pl := &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }
-
- return pl, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-func getMatrixIssueCommentPayload(p *api.IssueCommentPayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixIssueCommentPayload(p *api.IssueCommentPayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  text, _, _ := getIssueCommentPayloadInfo(p, MatrixLinkFormatter, true)
 
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-func getMatrixReleasePayload(p *api.ReleasePayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixReleasePayload(p *api.ReleasePayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  text, _ := getReleasePayloadInfo(p, MatrixLinkFormatter, true)
 
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-func getMatrixPushPayload(p *api.PushPayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixPushPayload(p *api.PushPayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  var commitDesc string
 
  if len(p.Commits) == 1 {
@@ -173,30 +160,19 @@ func getMatrixPushPayload(p *api.PushPayload, matrix *MatrixMeta) (*MatrixPayloa
  if i < len(p.Commits)-1 {
  text += "<br>"
  }
+
  }
 
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-func getMatrixPullRequestPayload(p *api.PullRequestPayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixPullRequestPayload(p *api.PullRequestPayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  text, _, _, _ := getPullRequestPayloadInfo(p, MatrixLinkFormatter, true)
 
- pl := &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }
-
- return pl, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-func getMatrixPullRequestApprovalPayload(p *api.PullRequestPayload, matrix *MatrixMeta, event models.HookEventType) (*MatrixPayload, error) {
+func getMatrixPullRequestApprovalPayload(p *api.PullRequestPayload, matrix *MatrixMeta, event models.HookEventType) (*MatrixPayloadUnsafe, error) {
  senderLink := MatrixLinkFormatter(setting.AppURL+p.Sender.UserName, p.Sender.UserName)
  title := fmt.Sprintf("#%d %s", p.Index, p.PullRequest.Title)
  titleLink := fmt.Sprintf("%s/pulls/%d", p.Repository.HTMLURL, p.Index)
@@ -213,15 +189,10 @@ func getMatrixPullRequestApprovalPayload(p *api.PullRequestPayload, matrix *Matr
  text = fmt.Sprintf("[%s] Pull request review %s: [%s](%s) by %s", repoLink, action, title, titleLink, senderLink)
  }
 
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-func getMatrixRepositoryPayload(p *api.RepositoryPayload, matrix *MatrixMeta) (*MatrixPayload, error) {
+func getMatrixRepositoryPayload(p *api.RepositoryPayload, matrix *MatrixMeta) (*MatrixPayloadUnsafe, error) {
  senderLink := MatrixLinkFormatter(setting.AppURL+p.Sender.UserName, p.Sender.UserName)
  repoLink := MatrixLinkFormatter(p.Repository.HTMLURL, p.Repository.FullName)
  var text string
@@ -233,17 +204,12 @@ func getMatrixRepositoryPayload(p *api.RepositoryPayload, matrix *MatrixMeta) (*
  text = fmt.Sprintf("[%s] Repository deleted by %s", repoLink, senderLink)
  }
 
- return &MatrixPayload{
- Body: getMessageBody(text),
- MsgType: messageTypeText[matrix.MessageType],
- Format: "org.matrix.custom.html",
- FormattedBody: text,
- }, nil
+ return getMatrixPayloadUnsafe(text, matrix), nil
 }
 
-// GetMatrixPayload converts a Matrix webhook into a MatrixPayload
-func GetMatrixPayload(p api.Payloader, event models.HookEventType, meta string) (*MatrixPayload, error) {
- s := new(MatrixPayload)
+// GetMatrixPayload converts a Matrix webhook into a MatrixPayloadUnsafe
+func GetMatrixPayload(p api.Payloader, event models.HookEventType, meta string) (*MatrixPayloadUnsafe, error) {
+ s := new(MatrixPayloadUnsafe)
 
  matrix := &MatrixMeta{}
  if err := json.Unmarshal([]byte(meta), &matrix); err != nil {
@@ -277,10 +243,49 @@ func GetMatrixPayload(p api.Payloader, event models.HookEventType, meta string)
  return s, nil
 }
 
+func getMatrixPayloadUnsafe(text string, matrix *MatrixMeta) *MatrixPayloadUnsafe {
+ p := MatrixPayloadUnsafe{}
+ p.AccessToken = matrix.AccessToken
+ p.FormattedBody = text
+ p.Body = getMessageBody(text)
+ p.Format = "org.matrix.custom.html"
+ p.MsgType = messageTypeText[matrix.MessageType]
+ return &p
+}
+
 var urlRegex = regexp.MustCompile(`<a [^>]*?href="([^">]*?)">(.*?)</a>`)
 
 func getMessageBody(htmlText string) string {
  htmlText = urlRegex.ReplaceAllString(htmlText, "[$2]($1)")
  htmlText = strings.ReplaceAll(htmlText, "<br>", "\n")
  return htmlText
 }
+
+// getMatrixHookRequest creates a new request which contains an Authorization header.
+// The access_token is removed from t.PayloadContent
+func getMatrixHookRequest(t *models.HookTask) (*http.Request, error) {
+ payloadunsafe := MatrixPayloadUnsafe{}
+ if err := json.Unmarshal([]byte(t.PayloadContent), &payloadunsafe); err != nil {
+ log.Error("Matrix Hook delivery failed: %v", err)
+ return nil, err
+ }
+
+ payloadsafe := payloadunsafe.safePayload()
+
+ var payload []byte
+ var err error
+ if payload, err = json.MarshalIndent(payloadsafe, "", " "); err != nil {
+ return nil, err
+ }
+ t.PayloadContent = string(payload)
+
+ req, err := http.NewRequest("POST", t.URL, strings.NewReader(string(payload)))
+ if err != nil {
+ return nil, err
+ }
+
+ req.Header.Set("Content-Type", "application/json")
+ req.Header.Add("Authorization", "Bearer "+payloadunsafe.AccessToken)
+
+ return req, nil
+}

modules/webhook/matrix_test.go

@@ -7,6 +7,7 @@ package webhook
 import (
  "testing"
 
+ "code.gitea.io/gitea/models"
  api "code.gitea.io/gitea/modules/structs"
 
  "github.com/stretchr/testify/assert"
@@ -83,3 +84,29 @@ func TestMatrixPullRequestPayload(t *testing.T) {
  assert.Equal(t, "[[test/repo](http:https://localhost:3000/test/repo)] Pull request opened: [#2 Fix bug](http:https://localhost:3000/test/repo/pulls/12) by [user1](https://try.gitea.io/user1)", pl.Body)
  assert.Equal(t, "[<a href=\"http:https://localhost:3000/test/repo\">test/repo</a>] Pull request opened: <a href=\"http:https://localhost:3000/test/repo/pulls/12\">#2 Fix bug</a> by <a href=\"https://try.gitea.io/user1\">user1</a>", pl.FormattedBody)
 }
+
+func TestMatrixHookRequest(t *testing.T) {
+ h := &models.HookTask{
+ PayloadContent: `{
+ "body": "[[user1/test](http:https://localhost:3000/user1/test)] user1 pushed 1 commit to [master](http:https://localhost:3000/user1/test/src/branch/master):\n[5175ef2](http:https://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee): Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http:https://localhost:3000/user1/test/pulls/2\n - user1",
+ "msgtype": "m.notice",
+ "format": "org.matrix.custom.html",
+ "formatted_body": "[\u003ca href=\"http:https://localhost:3000/user1/test\"\u003euser1/test\u003c/a\u003e] user1 pushed 1 commit to \u003ca href=\"http:https://localhost:3000/user1/test/src/branch/master\"\u003emaster\u003c/a\u003e:\u003cbr\u003e\u003ca href=\"http:https://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee\"\u003e5175ef2\u003c/a\u003e: Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http:https://localhost:3000/user1/test/pulls/2\n - user1",
+ "access_token": "dummy_access_token"
+}`,
+ }
+
+ wantPayloadContent := `{
+ "body": "[[user1/test](http:https://localhost:3000/user1/test)] user1 pushed 1 commit to [master](http:https://localhost:3000/user1/test/src/branch/master):\n[5175ef2](http:https://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee): Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http:https://localhost:3000/user1/test/pulls/2\n - user1",
+ "msgtype": "m.notice",
+ "format": "org.matrix.custom.html",
+ "formatted_body": "[\u003ca href=\"http:https://localhost:3000/user1/test\"\u003euser1/test\u003c/a\u003e] user1 pushed 1 commit to \u003ca href=\"http:https://localhost:3000/user1/test/src/branch/master\"\u003emaster\u003c/a\u003e:\u003cbr\u003e\u003ca href=\"http:https://localhost:3000/user1/test/commit/5175ef26201c58b035a3404b3fe02b4e8d436eee\"\u003e5175ef2\u003c/a\u003e: Merge pull request 'Change readme.md' (#2) from add-matrix-webhook into master\n\nReviewed-on: http:https://localhost:3000/user1/test/pulls/2\n - user1"
+}`
+
+ req, err := getMatrixHookRequest(h)
+ require.Nil(t, err)
+ require.NotNil(t, req)
+
+ assert.Equal(t, "Bearer dummy_access_token", req.Header.Get("Authorization"))
+ assert.Equal(t, wantPayloadContent, h.PayloadContent)
+}

routers/repo/webhook.go

@@ -448,7 +448,7 @@ func MatrixHooksNewPost(ctx *context.Context, form auth.NewMatrixHookForm) {
 
  w := &models.Webhook{
  RepoID: orCtx.RepoID,
- URL: fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message?access_token=%s", form.HomeserverURL, form.RoomID, form.AccessToken),
+ URL: fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message", form.HomeserverURL, form.RoomID),
  ContentType: models.ContentTypeJSON,
  HookEvent: ParseHookEvent(form.WebhookForm),
  IsActive: form.Active,
@@ -942,7 +942,8 @@ func MatrixHooksEditPost(ctx *context.Context, form auth.NewMatrixHookForm) {
  return
  }
  w.Meta = string(meta)
- w.URL = fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message?access_token=%s", form.HomeserverURL, form.RoomID, form.AccessToken)
+ w.URL = fmt.Sprintf("%s/_matrix/client/r0/rooms/%s/send/m.room.message", form.HomeserverURL, form.RoomID)
+
  w.HookEvent = ParseHookEvent(form.WebhookForm)
  w.IsActive = form.Active
  if err := w.UpdateEvent(); err != nil {