a3b14f8a2a
GHL's x-wh-signature uses RSA-PKCS1v15 + SHA-256, not Ed25519. The previous implementation parsed the wrong key type and would reject all incoming webhooks in production. Changes: - webhook.go: switch x-wh-signature verification to RSA-PKCS1v15+SHA-256 - webhook.go: add optional Ed25519 path for X-GHL-Signature (July 2026+) - config.go: add optional GHL_WEBHOOK_ED25519_KEY for future migration - main.go: pass ed25519 key to NewWebhookHandler - webhook_test.go: update test helpers to use RSA keys Co-Authored-By: SideKx <sidekx.ai@sds.dev>
80 lines
2.6 KiB
Go
80 lines
2.6 KiB
Go
package config
|
|
|
|
import (
|
|
"fmt"
|
|
"log/slog"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
type Config struct {
|
|
Port string
|
|
BaseURL string
|
|
GHLClientID string
|
|
GHLClientSecret string
|
|
GHLWebhookPublicKey string
|
|
GHLConversationProviderID string
|
|
// GHLWebhookEd25519Key is the PEM-encoded Ed25519 public key for X-GHL-Signature verification.
|
|
// Optional until GHL activates this header (expected July 2026).
|
|
GHLWebhookEd25519Key string
|
|
CastAPIKey string
|
|
CastAPIURL string
|
|
CastSenderID string
|
|
MongoURI string
|
|
InboundAPIKey string
|
|
// CredentialsEncryptionKey is a 64-hex-char (32-byte) AES-256 key used to
|
|
// encrypt per-location Cast API keys at rest in MongoDB.
|
|
// Optional: if unset, keys are stored in plain text (not recommended for production).
|
|
CredentialsEncryptionKey string
|
|
}
|
|
|
|
func Load() (*Config, error) {
|
|
c := &Config{
|
|
Port: getEnvDefault("PORT", "3002"),
|
|
BaseURL: os.Getenv("BASE_URL"),
|
|
GHLClientID: os.Getenv("GHL_CLIENT_ID"),
|
|
GHLClientSecret: os.Getenv("GHL_CLIENT_SECRET"),
|
|
GHLWebhookPublicKey: os.Getenv("GHL_WEBHOOK_PUBLIC_KEY"),
|
|
GHLConversationProviderID: os.Getenv("GHL_CONVERSATION_PROVIDER_ID"),
|
|
GHLWebhookEd25519Key: os.Getenv("GHL_WEBHOOK_ED25519_KEY"),
|
|
CastAPIKey: os.Getenv("CAST_API_KEY"),
|
|
CastAPIURL: getEnvDefault("CAST_API_URL", "https://api.cast.ph"),
|
|
CastSenderID: os.Getenv("CAST_SENDER_ID"),
|
|
MongoURI: os.Getenv("MONGO_URI"),
|
|
InboundAPIKey: os.Getenv("INBOUND_API_KEY"),
|
|
CredentialsEncryptionKey: os.Getenv("CREDENTIALS_ENCRYPTION_KEY"),
|
|
}
|
|
|
|
var missing []string
|
|
required := map[string]string{
|
|
"BASE_URL": c.BaseURL,
|
|
"GHL_CLIENT_ID": c.GHLClientID,
|
|
"GHL_CLIENT_SECRET": c.GHLClientSecret,
|
|
"GHL_WEBHOOK_PUBLIC_KEY": c.GHLWebhookPublicKey,
|
|
"GHL_CONVERSATION_PROVIDER_ID": c.GHLConversationProviderID,
|
|
"CAST_API_KEY": c.CastAPIKey,
|
|
"MONGO_URI": c.MongoURI,
|
|
}
|
|
for key, val := range required {
|
|
if val == "" {
|
|
missing = append(missing, key)
|
|
}
|
|
}
|
|
if len(missing) > 0 {
|
|
return nil, fmt.Errorf("missing required environment variables: %s", strings.Join(missing, ", "))
|
|
}
|
|
|
|
if c.CredentialsEncryptionKey == "" {
|
|
slog.Warn("CREDENTIALS_ENCRYPTION_KEY is not set — per-location Cast API keys will be stored in plain text")
|
|
}
|
|
|
|
return c, nil
|
|
}
|
|
|
|
func getEnvDefault(key, def string) string {
|
|
if v := os.Getenv(key); v != "" {
|
|
return v
|
|
}
|
|
return def
|
|
}
|