The endpoint requires appId (GHL client ID) as a query parameter.
Without it the API returns 422 "appId must be a string".
Co-Authored-By: Paperclip <noreply@paperclip.ing>
/locations/search requires locations.readonly which GHL never includes in
company-level OAuth tokens. /oauth/installedLocations uses oauth.readonly,
which is always present in company tokens, and returns only locations where
this app is actually installed.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
GHL includes installedLocations[] in the company-level token response for
bulk installs. Use those IDs directly to avoid calling /locations/search,
which requires locations.readonly scope that GHL doesn't grant. Falls back
to /locations/search only when the list is absent. Also adds raw_body and
installed_locations fields to token response debug logging.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The /locations/search endpoint requires locations.readonly scope.
Without it the company token gets 401 when trying to list locations
during bulk install, blocking the per-location token exchange.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
GHL issues a Company-scoped token (userType=Company) for bulk/agency
installs even when Target User=Sub-account. This fix handles that case:
1. Detect userType=Company in HandleCallback
2. Call GET /locations/search to enumerate all company locations
3. For each location call POST /oauth/locationToken to get a
Location-scoped token (userType=Location, includes locationId)
4. Store each location token individually in MongoDB
This allows webhook delivery and status updates to work per-location
without requiring the agency admin to re-install per sub-account.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Temporary diagnostic logging to determine what GHL includes in the
token exchange response and the OAuth callback redirect URL when
user_type is Company (Sub-account target app, agency-level install).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
GHL signs x-wh-signature webhooks with an Ed25519 key from the
Marketplace app settings, not RSA. The previous RSA implementation
caused all webhook signature checks to fail, blocking every outbound
SMS send.
Changes:
- Replace parseRSAPublicKey + RSA verification with parseEd25519PublicKey
+ ed25519.Verify for x-wh-signature
- Both x-wh-signature (current) and X-GHL-Signature (July 2026) now
use the same Ed25519 key from GHL_WEBHOOK_PUBLIC_KEY
- Remove unused crypto/rsa, crypto/sha256, crypto imports
- Update webhook_test.go to generate/sign with Ed25519 instead of RSA
Co-Authored-By: Paperclip <noreply@paperclip.ing>
GHL returns an empty locationId when the user authorizes at agency level
instead of selecting a specific sub-account location. Without this guard
the token was silently stored under an empty key, making every subsequent
webhook fail with "no token for location".
Also logs location_id/company_id/user_type from the token response to
make future OAuth install debugging easier.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
G112 (Slowloris): add ReadHeaderTimeout: 10s to http.Server
G602 (slice bounds): use explicit bounds-safe index for backoff slice
(attempt is guarded but gosec can't prove it statically)
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Fix two more json.NewEncoder(w).Encode() calls in oauth_test.go
(lines 53 and 119) that were missed in the previous pass.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- internal/ghl/oauth.go:186: defer func(){ _ = resp.Body.Close() }()
- internal/cast/client_test.go: prefix all json.Decode/Encode calls with _ =
- internal/ghl/oauth_test.go: _ = r.ParseForm(), _, _ = w.Write(...)
golangci-lint exclusion rules in v2 are not suppressing test file errcheck
as expected, so fixes are applied directly in source.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Production fixes:
- cmd/server/main.go: refactor to run() helper to eliminate exitAfterDefer
(os.Exit in main() no longer bypasses deferred s.Close)
- internal/cast/client.go: use _ = resp.Body.Close() (errcheck)
- internal/ghl/api.go: wrap both defers as func(){ _ = resp.Body.Close() }()
Test fixes:
- internal/cast/client_test.go: replace err.(*CastAPIError) type assertions
with errors.As (errorlint)
Config:
- .golangci.yml: use explicit path regex .*_test\\.go and add errorlint
to test-file exclusions
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pem.Decode requires actual newlines. When a PEM key is pasted into a
.env file it is commonly stored as a single line with \n literals.
Normalise these before decoding so both formats work.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
GHL uses RSA + SHA-256 for x-wh-signature, not ECDSA P-256 as documented
in the original task files. Also adds forward-compatible Ed25519 support
for X-GHL-Signature (GHL migration scheduled July 2026): handler checks
X-GHL-Signature first, falls back to x-wh-signature.
- webhook.go: replace ecdsa.VerifyASN1 with rsa.VerifyPKCS1v15; add
verifyEd25519 + verifyIncomingSignature dispatch; update struct fields
- webhook_test.go: regenerate test keys as RSA-2048, sign with PKCS1v15
- CLAUDE.md: correct crypto stack and key implementation notes
- .env.example: clarify GHL_WEBHOOK_PUBLIC_KEY is a static RSA key from docs
Co-Authored-By: SideKx <sidekx.ai@sds.dev>
Complete MVP implementation of the Cast GHL Conversation Provider bridge:
- Go module setup with chi router and mongo-driver dependencies
- Config loading with env var validation and defaults
- MongoDB token store with upsert, get, update, delete operations
- Cast.ph SMS client with 429 retry logic and typed errors
- Phone number normalization (E.164 ↔ Philippine local format)
- GHL OAuth 2.0 install/callback/refresh flow
- GHL webhook handler with ECDSA signature verification (async dispatch)
- GHL API client for message status updates and inbound message stubs
- Multi-stage Dockerfile, docker-compose with MongoDB, Woodpecker CI pipeline
- Unit tests for phone normalization, Cast client, GHL webhook, and OAuth handlers
Co-Authored-By: SideKx <sidekx.ai@sds.dev>
