refactor: replace raw String fields with SecretString and NatsToken across source configs

Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>

Author: yordis

rsworkspace/crates/trogon-gateway/src/config.rs

@@ -4,6 +4,7 @@ use std::time::Duration;
 
 use confique::Config;
 use trogon_nats::{NatsAuth, NatsToken};
+use trogon_std::SecretString;
 
 #[derive(Debug)]
 pub enum ConfigError {
@@ -272,15 +273,39 @@ fn resolve_nats(section: &NatsConfig) -> trogon_nats::NatsConfig {
 fn resolve_github(
     section: GithubConfig,
     nats: &trogon_nats::NatsConfig,
-    _errors: &mut Vec<String>,
+    errors: &mut Vec<String>,
 ) -> Option<trogon_source_github::GithubConfig> {
-    let webhook_secret = section.webhook_secret.filter(|s| !s.is_empty())?;
+    let secret_str = section.webhook_secret.filter(|s| !s.is_empty())?;
+
+    let webhook_secret = match SecretString::new(secret_str) {
+        Ok(s) => s,
+        Err(e) => {
+            errors.push(format!("github: invalid webhook_secret: {e}"));
+            return None;
+        }
+    };
+
+    let subject_prefix = match NatsToken::new(section.subject_prefix) {
+        Ok(t) => t,
+        Err(e) => {
+            errors.push(format!("github: invalid subject_prefix: {e:?}"));
+            return None;
+        }
+    };
+
+    let stream_name = match NatsToken::new(section.stream_name) {
+        Ok(t) => t,
+        Err(e) => {
+            errors.push(format!("github: invalid stream_name: {e:?}"));
+            return None;
+        }
+    };
 
     Some(trogon_source_github::GithubConfig {
         webhook_secret,
         port: 0,
-        subject_prefix: section.subject_prefix,
-        stream_name: section.stream_name,
+        subject_prefix,
+        stream_name,
         stream_max_age: Duration::from_secs(section.stream_max_age_secs),
         nats_ack_timeout: Duration::from_secs(section.nats_ack_timeout_secs),
         nats: nats.clone(),
@@ -296,11 +321,19 @@ fn resolve_discord(
 
     let mode = match mode_str.to_ascii_lowercase().as_str() {
         "gateway" => {
-            let Some(bot_token) = section.bot_token.filter(|s| !s.is_empty()) else {
+            let Some(token_str) = section.bot_token.filter(|s| !s.is_empty()) else {
                 errors.push("discord: bot_token is required when mode=gateway".to_string());
                 return None;
             };
 
+            let bot_token = match SecretString::new(token_str) {
+                Ok(s) => s,
+                Err(e) => {
+                    errors.push(format!("discord: invalid bot_token: {e}"));
+                    return None;
+                }
+            };
+
             let intents = if let Some(ref s) = section.gateway_intents {
                 match trogon_source_discord::config::parse_intents(s) {
                     Ok(i) => i,
@@ -373,7 +406,15 @@ fn resolve_slack(
     nats: &trogon_nats::NatsConfig,
     errors: &mut Vec<String>,
 ) -> Option<trogon_source_slack::SlackConfig> {
-    let signing_secret = section.signing_secret.filter(|s| !s.is_empty())?;
+    let secret_str = section.signing_secret.filter(|s| !s.is_empty())?;
+
+    let signing_secret = match SecretString::new(secret_str) {
+        Ok(s) => s,
+        Err(e) => {
+            errors.push(format!("slack: invalid signing_secret: {e}"));
+            return None;
+        }
+    };
 
     let subject_prefix = match NatsToken::new(section.subject_prefix) {
         Ok(t) => t,
@@ -406,15 +447,39 @@ fn resolve_slack(
 fn resolve_telegram(
     section: TelegramConfig,
     nats: &trogon_nats::NatsConfig,
-    _errors: &mut Vec<String>,
+    errors: &mut Vec<String>,
 ) -> Option<trogon_source_telegram::TelegramSourceConfig> {
-    let webhook_secret = section.webhook_secret.filter(|s| !s.is_empty())?;
+    let secret_str = section.webhook_secret.filter(|s| !s.is_empty())?;
+
+    let webhook_secret = match SecretString::new(secret_str) {
+        Ok(s) => s,
+        Err(e) => {
+            errors.push(format!("telegram: invalid webhook_secret: {e}"));
+            return None;
+        }
+    };
+
+    let subject_prefix = match NatsToken::new(section.subject_prefix) {
+        Ok(t) => t,
+        Err(e) => {
+            errors.push(format!("telegram: invalid subject_prefix: {e:?}"));
+            return None;
+        }
+    };
+
+    let stream_name = match NatsToken::new(section.stream_name) {
+        Ok(t) => t,
+        Err(e) => {
+            errors.push(format!("telegram: invalid stream_name: {e:?}"));
+            return None;
+        }
+    };
 
     Some(trogon_source_telegram::TelegramSourceConfig {
         webhook_secret,
         port: 0,
-        subject_prefix: section.subject_prefix,
-        stream_name: section.stream_name,
+        subject_prefix,
+        stream_name,
         stream_max_age: Duration::from_secs(section.stream_max_age_secs),
         nats_ack_timeout: Duration::from_secs(section.nats_ack_timeout_secs),
         nats: nats.clone(),
@@ -469,7 +534,15 @@ fn resolve_linear(
     nats: &trogon_nats::NatsConfig,
     errors: &mut Vec<String>,
 ) -> Option<trogon_source_linear::LinearConfig> {
-    let webhook_secret = section.webhook_secret.filter(|s| !s.is_empty())?;
+    let secret_str = section.webhook_secret.filter(|s| !s.is_empty())?;
+
+    let webhook_secret = match SecretString::new(secret_str) {
+        Ok(s) => s,
+        Err(e) => {
+            errors.push(format!("linear: invalid webhook_secret: {e}"));
+            return None;
+        }
+    };
 
     let subject_prefix = match NatsToken::new(section.subject_prefix) {
         Ok(t) => t,

rsworkspace/crates/trogon-gateway/src/serve.rs

@@ -185,7 +185,7 @@ fn mount_sources(
             } => {
                 let token = bot_token.clone();
                 join_set.spawn(async move {
-                    trogon_source_discord::gateway_runner::run(p, &cfg, &token, intents).await;
+                    trogon_source_discord::gateway_runner::run(p, &cfg, token.as_str(), intents).await;
                     ("discord-gateway", Ok(()))
                 });
                 info!(source = "discord", "gateway mode spawned");

rsworkspace/crates/trogon-source-discord/src/config.rs

@@ -2,6 +2,7 @@ use std::time::Duration;
 
 use ed25519_dalek::VerifyingKey;
 use trogon_nats::{NatsConfig, NatsToken};
+use trogon_std::SecretString;
 use trogon_std::env::ReadEnv;
 use twilight_model::gateway::Intents;
 
@@ -14,7 +15,7 @@ use crate::constants::{
 use crate::signature;
 
 pub enum SourceMode {
-    Gateway { bot_token: String, intents: Intents },
+    Gateway { bot_token: SecretString, intents: Intents },
     Webhook { public_key: VerifyingKey },
 }
 
@@ -37,11 +38,13 @@ impl DiscordConfig {
 
         let mode = match mode_str.to_ascii_lowercase().as_str() {
             "gateway" => {
-                let bot_token = env
-                    .var("DISCORD_BOT_TOKEN")
-                    .ok()
-                    .filter(|s| !s.is_empty())
-                    .expect("DISCORD_BOT_TOKEN is required when DISCORD_MODE=gateway");
+                let bot_token = SecretString::new(
+                    env.var("DISCORD_BOT_TOKEN")
+                        .ok()
+                        .filter(|s| !s.is_empty())
+                        .expect("DISCORD_BOT_TOKEN is required when DISCORD_MODE=gateway"),
+                )
+                .expect("DISCORD_BOT_TOKEN must not be empty");
 
                 let intents = env
                     .var("DISCORD_GATEWAY_INTENTS")
@@ -214,7 +217,7 @@ mod tests {
 
         match &config.mode {
             SourceMode::Gateway { bot_token, intents } => {
-                assert_eq!(bot_token, "test-token");
+                assert_eq!(bot_token.as_str(), "test-token");
                 assert_eq!(*intents, default_intents());
                 assert!(intents.contains(Intents::GUILDS));
                 assert!(intents.contains(Intents::GUILD_MESSAGES));

rsworkspace/crates/trogon-source-github/src/config.rs

@@ -1,6 +1,7 @@
 use std::time::Duration;
 
-use trogon_nats::NatsConfig;
+use trogon_nats::{NatsConfig, NatsToken};
+use trogon_std::SecretString;
 use trogon_std::env::ReadEnv;
 
 use crate::constants::{
@@ -19,10 +20,10 @@ use crate::constants::{
 /// - `GITHUB_NATS_ACK_TIMEOUT_SECS`: NATS ack timeout in seconds (default: 10)
 /// - Standard `NATS_*` variables for NATS connection (see `trogon-nats`)
 pub struct GithubConfig {
-    pub webhook_secret: String,
+    pub webhook_secret: SecretString,
     pub port: u16,
-    pub subject_prefix: String,
-    pub stream_name: String,
+    pub subject_prefix: NatsToken,
+    pub stream_name: NatsToken,
     pub stream_max_age: Duration,
     pub nats_ack_timeout: Duration,
     pub nats: NatsConfig,
@@ -31,22 +32,28 @@ pub struct GithubConfig {
 impl GithubConfig {
     pub fn from_env<E: ReadEnv>(env: &E) -> Self {
         Self {
-            webhook_secret: env
-                .var("GITHUB_WEBHOOK_SECRET")
-                .ok()
-                .filter(|s| !s.is_empty())
-                .expect("GITHUB_WEBHOOK_SECRET is required"),
+            webhook_secret: SecretString::new(
+                env.var("GITHUB_WEBHOOK_SECRET")
+                    .ok()
+                    .filter(|s| !s.is_empty())
+                    .expect("GITHUB_WEBHOOK_SECRET is required"),
+            )
+            .expect("GITHUB_WEBHOOK_SECRET must not be empty"),
             port: env
                 .var("GITHUB_WEBHOOK_PORT")
                 .ok()
                 .and_then(|p| p.parse().ok())
                 .unwrap_or(DEFAULT_PORT),
-            subject_prefix: env
-                .var("GITHUB_SUBJECT_PREFIX")
-                .unwrap_or_else(|_| DEFAULT_SUBJECT_PREFIX.to_string()),
-            stream_name: env
-                .var("GITHUB_STREAM_NAME")
-                .unwrap_or_else(|_| DEFAULT_STREAM_NAME.to_string()),
+            subject_prefix: NatsToken::new(
+                env.var("GITHUB_SUBJECT_PREFIX")
+                    .unwrap_or_else(|_| DEFAULT_SUBJECT_PREFIX.to_string()),
+            )
+            .expect("GITHUB_SUBJECT_PREFIX is not a valid NATS token"),
+            stream_name: NatsToken::new(
+                env.var("GITHUB_STREAM_NAME")
+                    .unwrap_or_else(|_| DEFAULT_STREAM_NAME.to_string()),
+            )
+            .expect("GITHUB_STREAM_NAME is not a valid NATS token"),
             stream_max_age: env
                 .var("GITHUB_STREAM_MAX_AGE_SECS")
                 .ok()
@@ -80,10 +87,10 @@ mod tests {
         let env = env_with_secret();
         let config = GithubConfig::from_env(&env);
 
-        assert_eq!(config.webhook_secret, "test-secret");
+        assert_eq!(config.webhook_secret.as_str(), "test-secret");
         assert_eq!(config.port, 8080);
-        assert_eq!(config.subject_prefix, "github");
-        assert_eq!(config.stream_name, "GITHUB");
+        assert_eq!(config.subject_prefix.as_str(), "github");
+        assert_eq!(config.stream_name.as_str(), "GITHUB");
         assert_eq!(config.stream_max_age, Duration::from_secs(7 * 24 * 60 * 60));
         assert_eq!(config.nats_ack_timeout, Duration::from_secs(10));
     }
@@ -100,10 +107,10 @@ mod tests {
 
         let config = GithubConfig::from_env(&env);
 
-        assert_eq!(config.webhook_secret, "my-secret");
+        assert_eq!(config.webhook_secret.as_str(), "my-secret");
         assert_eq!(config.port, 9090);
-        assert_eq!(config.subject_prefix, "gh");
-        assert_eq!(config.stream_name, "GH_EVENTS");
+        assert_eq!(config.subject_prefix.as_str(), "gh");
+        assert_eq!(config.stream_name.as_str(), "GH_EVENTS");
         assert_eq!(config.stream_max_age, Duration::from_secs(3600));
         assert_eq!(config.nats_ack_timeout, Duration::from_secs(30));
     }

rsworkspace/crates/trogon-source-github/src/server.rs

@@ -7,6 +7,8 @@ use crate::constants::{
     NATS_HEADER_EVENT,
 };
 use crate::signature;
+use trogon_nats::NatsToken;
+use trogon_std::SecretString;
 #[cfg(not(coverage))]
 use async_nats::jetstream::context::CreateStreamError;
 use axum::{
@@ -68,25 +70,23 @@ fn outcome_to_status<E: fmt::Display>(outcome: PublishOutcome<E>) -> StatusCode
 #[derive(Clone)]
 struct AppState<P: JetStreamPublisher, S: ObjectStorePut> {
     publisher: ClaimCheckPublisher<P, S>,
-    webhook_secret: String,
-    subject_prefix: String,
+    webhook_secret: SecretString,
+    subject_prefix: NatsToken,
     nats_ack_timeout: Duration,
 }
 
 pub async fn provision<C: JetStreamContext>(js: &C, config: &GithubConfig) -> Result<(), C::Error> {
     js.get_or_create_stream(async_nats::jetstream::stream::Config {
-        name: config.stream_name.clone(),
+        name: config.stream_name.as_str().to_owned(),
         subjects: vec![format!("{}.>", config.subject_prefix)],
         max_age: config.stream_max_age,
         ..Default::default()
     })
     .await?;
 
+    let stream = config.stream_name.as_str();
     let max_age_secs = config.stream_max_age.as_secs();
-    info!(
-        stream = config.stream_name,
-        max_age_secs, "JetStream stream ready"
-    );
+    info!(stream, max_age_secs, "JetStream stream ready");
     Ok(())
 }
 
@@ -170,7 +170,7 @@ async fn handle_webhook_inner<P: JetStreamPublisher, S: ObjectStorePut>(
 
     match sig {
         Some(sig) => {
-            if let Err(e) = signature::verify(&state.webhook_secret, &body, sig) {
+            if let Err(e) = signature::verify(state.webhook_secret.as_str(), &body, sig) {
                 warn!(reason = %e, "GitHub webhook signature validation failed");
                 return StatusCode::UNAUTHORIZED;
             }
@@ -253,10 +253,10 @@ mod tests {
 
     fn test_config() -> GithubConfig {
         GithubConfig {
-            webhook_secret: TEST_SECRET.to_string(),
+            webhook_secret: SecretString::new(TEST_SECRET).unwrap(),
             port: 0,
-            subject_prefix: "github".to_string(),
-            stream_name: "GITHUB".to_string(),
+            subject_prefix: NatsToken::new("github").unwrap(),
+            stream_name: NatsToken::new("GITHUB").unwrap(),
             stream_max_age: Duration::from_secs(3600),
             nats_ack_timeout: Duration::from_secs(10),
             nats: trogon_nats::NatsConfig::from_env(&trogon_std::env::InMemoryEnv::new()),
@@ -470,8 +470,8 @@ mod tests {
 
         let state = AppState {
             publisher: wrap_publisher(publisher.clone()),
-            webhook_secret: TEST_SECRET.to_string(),
-            subject_prefix: "custom".to_string(),
+            webhook_secret: SecretString::new(TEST_SECRET).unwrap(),
+            subject_prefix: NatsToken::new("custom").unwrap(),
             nats_ack_timeout: Duration::from_secs(10),
         };
 
@@ -641,8 +641,8 @@ mod tests {
                 "test-bucket".to_string(),
                 MaxPayload::from_server_limit(usize::MAX),
             ),
-            webhook_secret: TEST_SECRET.to_string(),
-            subject_prefix: "github".to_string(),
+            webhook_secret: SecretString::new(TEST_SECRET).unwrap(),
+            subject_prefix: NatsToken::new("github").unwrap(),
             nats_ack_timeout: Duration::from_secs(10),
         };
 
@@ -676,8 +676,8 @@ mod tests {
                 "test-bucket".to_string(),
                 MaxPayload::from_server_limit(usize::MAX),
             ),
-            webhook_secret: TEST_SECRET.to_string(),
-            subject_prefix: "github".to_string(),
+            webhook_secret: SecretString::new(TEST_SECRET).unwrap(),
+            subject_prefix: NatsToken::new("github").unwrap(),
             nats_ack_timeout: Duration::from_millis(10),
         };