Harden webhook handling and deployment config

Author: bisug

.github/workflows/ci.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Check formatting
+        run: |
+          unformatted="$(gofmt -l ./cmd ./internal)"
+          test -z "$unformatted" || (echo "$unformatted" && exit 1)
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test
+        run: go test ./... -count=1
+
+      - name: Vulnerability scan
+        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...

Dockerfile

@@ -19,10 +19,12 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o tg-githubbot cmd/bot/main.go
 
 # Final stage
-FROM alpine:latest
+FROM alpine:3.22
 
 WORKDIR /app
 
+RUN addgroup -S app && adduser -S -G app app
+
 # Copy the CA certificates from builder
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
@@ -32,5 +34,7 @@ COPY --from=builder /app/tg-githubbot .
 # Expose the webhook port (default 8080)
 EXPOSE 8080
 
+USER app
+
 # Command to run the executable
 CMD ["./tg-githubbot"]

README.md

@@ -139,15 +139,22 @@ TELEGRAM_WEBHOOK_URL=https://your-domain.com
 # GitHub OAuth App credentials
 GITHUB_CLIENT_ID=Iv1...
 GITHUB_CLIENT_SECRET=...
+GITHUB_WEBHOOK_SECRET=...
 
 # HTTP server port (Use 10000 for Render, 8080 for Standard/Docker)
 PORT=8080
 
 # (Optional) Set to true for Polling (Best for Cloud/Local). Default: false (Webhooks)
 USE_POLLING=false
 
+# MongoDB connection string
+MONGODB_URI=mongodb://localhost:27017
+
 # MongoDB database name
 DATABASE_NAME=github_bot
+
+# Stable 32-byte hex key for encrypting stored tokens
+ENCRYPTION_KEY=...
 ```
 
 > [!CAUTION]
@@ -224,7 +231,7 @@ Docker Compose is the recommended deployment path.
 4. Check logs:
 
    ```bash
-   docker compose logs -f github-bot
+   docker compose logs -f bot
    ```
 
 5. Confirm the health page:

cmd/bot/main.go

@@ -155,7 +155,10 @@ func run() (runErr error) {
 		}
 
 		oauthStateCache.Delete(state)
-		token, err := oauth.ExchangeCode(context.Background(), code)
+		requestCtx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
+		defer cancel()
+
+		token, err := oauth.ExchangeCode(requestCtx, code)
 		if err != nil {
 			http.Error(w, "Failed to exchange code", http.StatusInternalServerError)
 			return
@@ -167,8 +170,8 @@ func run() (runErr error) {
 			return
 		}
 
-		ghClient := clientFactory.GetUserClient(context.Background(), token.AccessToken)
-		u, _, err := ghClient.Users.Get(context.Background(), "")
+		ghClient := clientFactory.GetUserClient(requestCtx, token.AccessToken)
+		u, _, err := ghClient.Users.Get(requestCtx, "")
 		if err != nil {
 			http.Error(w, "Failed to fetch user", http.StatusInternalServerError)
 			return
@@ -180,7 +183,7 @@ func run() (runErr error) {
 			GitHubUsername:      u.GetLogin(),
 			EncryptedOAuthToken: encToken,
 		}
-		if err := database.UpsertUser(context.Background(), user); err != nil {
+		if err := database.UpsertUser(requestCtx, user); err != nil {
 			http.Error(w, "DB Error", http.StatusInternalServerError)
 			return
 		}
@@ -211,7 +214,11 @@ func run() (runErr error) {
 	}
 
 	server := &http.Server{
-		Handler: mux,
+		Handler:           mux,
+		ReadHeaderTimeout: 5 * time.Second,
+		ReadTimeout:       15 * time.Second,
+		WriteTimeout:      15 * time.Second,
+		IdleTimeout:       60 * time.Second,
 	}
 
 	serverErr := make(chan error, 1)
@@ -261,10 +268,9 @@ func run() (runErr error) {
 	} else {
 		webhookBase := strings.TrimRight(cfg.TelegramWebhookURL, "/")
 		webhookPath := "/bot" + cfg.TelegramToken
-		fullWebhookURL := webhookBase + webhookPath
 
 		mux.HandleFunc(webhookPath, updater.GetHandlerFunc(""))
-		log.Printf("Registered local Telegram webhook handler for %s", webhookPath)
+		log.Printf("Registered local Telegram webhook handler for /bot<redacted>")
 
 		err = updater.SetAllBotWebhooks(webhookBase, &gotgbot.SetWebhookOpts{
 			MaxConnections:     100,
@@ -278,7 +284,7 @@ func run() (runErr error) {
 				}
 			}()
 		} else {
-			log.Printf("✅ Bot successfully registered Webhook at Telegram: %s", fullWebhookURL)
+			log.Printf("✅ Bot successfully registered Webhook at Telegram: %s/bot<redacted>", webhookBase)
 		}
 	}
 

docker-compose.yml

@@ -9,18 +9,20 @@ services:
       - "8080:8080"
     environment:
       - TELEGRAM_TOKEN=${TELEGRAM_TOKEN}
+      - TELEGRAM_WEBHOOK_URL=${TELEGRAM_WEBHOOK_URL}
       - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}
       - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
+      - GITHUB_WEBHOOK_SECRET=${GITHUB_WEBHOOK_SECRET}
       - MONGODB_URI=mongodb://mongo:27017
-      - MONGODB_DB=${MONGODB_DB:-github_bot}
+      - DATABASE_NAME=${DATABASE_NAME:-github_bot}
       - ENCRYPTION_KEY=${ENCRYPTION_KEY}
-      - BASE_URL=${BASE_URL}
+      - USE_POLLING=${USE_POLLING:-false}
       - PORT=8080
     depends_on:
       - mongo
 
   mongo:
-    image: mongo:latest
+    image: mongo:7
     container_name: tg_githubbot_mongo
     restart: unless-stopped
     ports:

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	golang.org/x/crypto v0.51.0 // indirect
-	golang.org/x/net v0.54.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/text v0.37.0 // indirect
 )

go.sum

@@ -44,8 +44,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
-golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

internal/bot/callbacks/callbacks.go

@@ -699,7 +699,7 @@ func (h *CallbackHandler) handleAddRepoByID(b *gotgbot.Bot, ctx *ext.Context, re
 
 	// Reuse showRepoMenu to let user choose notifications immediately
 	kb := h.repoMenuButtons(&link)
-	
+
 	msg := fmt.Sprintf("✅ Repository <b>%s</b> linked successfully!\n\nChoose what events to notify:", repo.GetFullName())
 	_, _, err = ctx.EffectiveMessage.EditText(b, msg, &gotgbot.EditMessageTextOpts{
 		ReplyMarkup: gotgbot.InlineKeyboardMarkup{InlineKeyboard: kb},

internal/bot/commands/commands.go

@@ -26,27 +26,40 @@ import (
 )
 
 type CommandHandler struct {
-	Config          *config.Config
-	DB              *db.DB
-	OAuth           *gh.OAuth
-	StateCache      *cache.Cache[string, int64]
-	ClientFactory   *gh.ClientFactory
-	EncryptionKey   string
-	ContextCache    *cache.Cache[string, models.MessageContext]
+	Config        *config.Config
+	DB            *db.DB
+	OAuth         *gh.OAuth
+	StateCache    *cache.Cache[string, int64]
+	ClientFactory *gh.ClientFactory
+	EncryptionKey string
+	ContextCache  *cache.Cache[string, models.MessageContext]
 }
 
 func NewCommandHandler(cfg *config.Config, database *db.DB, oauth *gh.OAuth, stateCache *cache.Cache[string, int64], factory *gh.ClientFactory, key string, ctxCache *cache.Cache[string, models.MessageContext]) *CommandHandler {
 	return &CommandHandler{
-		Config:          cfg,
-		DB:              database,
-		OAuth:           oauth,
-		StateCache:      stateCache,
-		ClientFactory:   factory,
-		EncryptionKey:   key,
-		ContextCache:    ctxCache,
+		Config:        cfg,
+		DB:            database,
+		OAuth:         oauth,
+		StateCache:    stateCache,
+		ClientFactory: factory,
+		EncryptionKey: key,
+		ContextCache:  ctxCache,
 	}
 }
 
+func requireAdminOrPrivate(b *gotgbot.Bot, ctx *ext.Context, deniedMessage string) error {
+	if ctx.EffectiveChat != nil && ctx.EffectiveChat.Type == gotgbot.ChatTypePrivate {
+		return nil
+	}
+
+	if ctx.EffectiveChat != nil && ctx.EffectiveUser != nil && utils.IsAdmin(b, ctx.EffectiveChat.Id, ctx.EffectiveUser.Id) {
+		return nil
+	}
+
+	_, err := ctx.EffectiveMessage.Reply(b, deniedMessage, nil)
+	return err
+}
+
 func (h *CommandHandler) Start(b *gotgbot.Bot, ctx *ext.Context) error {
 	msg := `<b>Welcome to the GitHub Bot!</b> 🤖
 
@@ -177,8 +190,7 @@ func repoPageKeyboardNav(page int, resp *github.Response) []gotgbot.InlineKeyboa
 }
 
 func (h *CommandHandler) AddRepo(b *gotgbot.Bot, ctx *ext.Context) error {
-	if ctx.EffectiveChat.Type != gotgbot.ChatTypePrivate && !utils.IsAdmin(b, ctx.EffectiveChat.Id, ctx.EffectiveUser.Id) {
-		_, err := ctx.EffectiveMessage.Reply(b, "Only admins can add repositories.", nil)
+	if err := requireAdminOrPrivate(b, ctx, "Only admins can add repositories."); err != nil {
 		return err
 	}
 
@@ -352,8 +364,7 @@ func (h *CommandHandler) sendRepoList(b *gotgbot.Bot, ctx *ext.Context, page int
 }
 
 func (h *CommandHandler) Settings(b *gotgbot.Bot, ctx *ext.Context) error {
-	if ctx.EffectiveChat.Type != gotgbot.ChatTypePrivate && !utils.IsAdmin(b, ctx.EffectiveChat.Id, ctx.EffectiveUser.Id) {
-		_, err := ctx.EffectiveMessage.Reply(b, "Only admins can modify settings.", nil)
+	if err := requireAdminOrPrivate(b, ctx, "Only admins can modify settings."); err != nil {
 		return err
 	}
 
@@ -384,8 +395,7 @@ func (h *CommandHandler) Settings(b *gotgbot.Bot, ctx *ext.Context) error {
 }
 
 func (h *CommandHandler) RemoveRepo(b *gotgbot.Bot, ctx *ext.Context) error {
-	if ctx.EffectiveChat.Type != gotgbot.ChatTypePrivate && !utils.IsAdmin(b, ctx.EffectiveChat.Id, ctx.EffectiveUser.Id) {
-		_, err := ctx.EffectiveMessage.Reply(b, "Only admins can remove repositories.", nil)
+	if err := requireAdminOrPrivate(b, ctx, "Only admins can remove repositories."); err != nil {
 		return err
 	}
 
@@ -414,31 +424,31 @@ func (h *CommandHandler) RemoveRepo(b *gotgbot.Bot, ctx *ext.Context) error {
 			}
 		} else {
 
-				var owner, repo string
-				for i := 0; i < len(repoFullName); i++ {
-					if repoFullName[i] == '/' {
-						owner = repoFullName[:i]
-						repo = repoFullName[i+1:]
-						break
-					}
+			var owner, repo string
+			for i := 0; i < len(repoFullName); i++ {
+				if repoFullName[i] == '/' {
+					owner = repoFullName[:i]
+					repo = repoFullName[i+1:]
+					break
 				}
+			}
 
-				if owner != "" && repo != "" {
-					_, err := client.Repositories.DeleteHook(context.Background(), owner, repo, link.WebhookID)
-					if err != nil {
-						if h.handleAuthError(b, ctx, err) {
-							webhookStatusMsg = "\n\n⚠️ <b>Warning:</b> GitHub authentication failed. Webhook not removed."
+			if owner != "" && repo != "" {
+				_, err := client.Repositories.DeleteHook(context.Background(), owner, repo, link.WebhookID)
+				if err != nil {
+					if h.handleAuthError(b, ctx, err) {
+						webhookStatusMsg = "\n\n⚠️ <b>Warning:</b> GitHub authentication failed. Webhook not removed."
+					} else {
+						var errResp *github.ErrorResponse
+						if errors.As(err, &errResp) && errResp.Response.StatusCode == http.StatusNotFound {
 						} else {
-							var errResp *github.ErrorResponse
-							if errors.As(err, &errResp) && errResp.Response.StatusCode == http.StatusNotFound {
-							} else {
-								webhookStatusMsg = fmt.Sprintf("\n\n⚠️ <b>Warning:</b> Failed to remove webhook from GitHub: %v", err)
-							}
+							webhookStatusMsg = fmt.Sprintf("\n\n⚠️ <b>Warning:</b> Failed to remove webhook from GitHub: %v", err)
 						}
 					}
 				}
 			}
 		}
+	}
 
 	err = h.DB.RemoveRepoLink(context.Background(), ctx.EffectiveChat.Id, repoFullName)
 	if err != nil {
@@ -494,7 +504,6 @@ Visit the <a href="https://github.com/AshokShau/GithubBot">GitHub page</a> for m
 	return err
 }
 
-
 func (h *CommandHandler) Privacy(b *gotgbot.Bot, ctx *ext.Context) error {
 	msg := `<b>Privacy Policy</b>
 
@@ -557,6 +566,10 @@ func (h *CommandHandler) Reopen(b *gotgbot.Bot, ctx *ext.Context) error {
 
 func (h *CommandHandler) Approve(b *gotgbot.Bot, ctx *ext.Context) error {
 	msg := ctx.EffectiveMessage
+	if err := requireAdminOrPrivate(b, ctx, "Only admins can approve pull requests in this chat."); err != nil {
+		return err
+	}
+
 	if msg.ReplyToMessage == nil {
 		_, err := msg.Reply(b, "Please use this command in reply to a notification.", nil)
 		return err
@@ -598,6 +611,10 @@ func (h *CommandHandler) Approve(b *gotgbot.Bot, ctx *ext.Context) error {
 
 func (h *CommandHandler) handleIssueAction(b *gotgbot.Bot, ctx *ext.Context, state string) error {
 	msg := ctx.EffectiveMessage
+	if err := requireAdminOrPrivate(b, ctx, "Only admins can update issues or pull requests in this chat."); err != nil {
+		return err
+	}
+
 	if msg.ReplyToMessage == nil {
 		_, err := msg.Reply(b, "Please use this command in reply to a notification.", nil)
 		return err

internal/bot/commands/reply_handler.go

@@ -35,6 +35,9 @@ func (h *ReplyHandler) HandleReply(b *gotgbot.Bot, ctx *ext.Context) error {
 	if msg.ReplyToMessage == nil {
 		return nil
 	}
+	if err := requireAdminOrPrivate(b, ctx, "Only admins can comment on GitHub items from this chat."); err != nil {
+		return err
+	}
 
 	key := fmt.Sprintf("%d:%d", ctx.EffectiveChat.Id, msg.ReplyToMessage.MessageId)
 	mContext, found := h.ContextCache.Get(key)