CAST/cast-ghl-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cast-ghl-plugin/internal/ghl/webhook_test.go
Head of Product & Engineering d081875fce fix: add uninstall handler, idempotency guard, and OAuth error handling 
GHL Marketplace submission blockers resolved:
- Add POST /api/ghl/v1/webhook/uninstall to delete token on app removal
- Add in-memory messageId deduplication (10-min TTL) to prevent duplicate SMS sends on webhook retries
- Handle ?error= param in OAuth callback for user-denied auth flows
- Pass store to WebhookHandler; update tests accordingly

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-04 17:52:09 +02:00

115 lines
3.3 KiB
Go
Raw Blame History

package ghl
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"net/http"
"net/http/httptest"
"strings"
"testing"
castclient "git.sds.dev/CAST/cast-ghl-plugin/internal/cast"
)
func generateTestKeyPair(t *testing.T) (*ecdsa.PrivateKey, string) {
t.Helper()
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("failed to generate key: %v", err)
}
pubBytes, err := x509.MarshalPKIXPublicKey(&privKey.PublicKey)
if err != nil {
t.Fatalf("failed to marshal public key: %v", err)
}
pemBlock := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: pubBytes})
return privKey, string(pemBlock)
}
func signPayload(t *testing.T, privKey *ecdsa.PrivateKey, body []byte) string {
t.Helper()
hash := sha256.Sum256(body)
sig, err := ecdsa.SignASN1(rand.Reader, privKey, hash[:])
if err != nil {
t.Fatalf("failed to sign: %v", err)
}
return base64.StdEncoding.EncodeToString(sig)
}
func newTestHandler(t *testing.T, pubPEM string) *WebhookHandler {
t.Helper()
ms := &inMemStore{}
oauth := NewOAuthHandler("c", "s", "http://x", "p", ms)
handler, err := NewWebhookHandler(pubPEM, castclient.NewClient("http://localhost:1", "k", ""), NewAPIClient(), oauth, ms)
if err != nil {
t.Fatalf("failed to create handler: %v", err)
}
return handler
}
func TestWebhook_ValidSignature_SMS(t *testing.T) {
privKey, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
body := `{"contactId":"c1","locationId":"loc1","messageId":"msg1","type":"SMS","phone":"+639171234567","message":"hello","attachments":[],"userId":"u1"}`
sig := signPayload(t, privKey, []byte(body))
req := httptest.NewRequest(http.MethodPost, "/api/ghl/v1/webhook/messages", strings.NewReader(body))
req.Header.Set("x-wh-signature", sig)
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200, got %d", rr.Code)
}
}
func TestWebhook_InvalidSignature(t *testing.T) {
_, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
body := `{"type":"SMS","phone":"+639171234567","message":"test"}`
req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
req.Header.Set("x-wh-signature", "aW52YWxpZA==")
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401, got %d", rr.Code)
}
}
func TestWebhook_MissingSignature(t *testing.T) {
_, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(`{"type":"SMS"}`))
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusUnauthorized {
t.Errorf("expected 401, got %d", rr.Code)
}
}
func TestWebhook_NonSMSType(t *testing.T) {
privKey, pubPEM := generateTestKeyPair(t)
handler := newTestHandler(t, pubPEM)
body := `{"type":"Email","phone":"+639171234567","message":"test"}`
sig := signPayload(t, privKey, []byte(body))
req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
req.Header.Set("x-wh-signature", sig)
rr := httptest.NewRecorder()
handler.HandleWebhook(rr, req)
if rr.Code != http.StatusOK {
t.Errorf("expected 200, got %d", rr.Code)
}
}
Reference in New Issue View Git Blame Copy Permalink