feat: Enhance VcsRepoBindingRepository with slug-based lookup and improve token handling in ProjectService

rostilos · rostilos · commit e3c84844ef9d · 2026-02-27T13:05:44.000+02:00
diff --git a/java-ecosystem/libs/core/src/main/java/org/rostilos/codecrow/core/persistence/repository/vcs/VcsRepoBindingRepository.java b/java-ecosystem/libs/core/src/main/java/org/rostilos/codecrow/core/persistence/repository/vcs/VcsRepoBindingRepository.java
@@ -38,6 +38,15 @@ Optional<VcsRepoBinding> findByProviderAndExternalRepoIdWithDetails(
             @Param("externalRepoId") String externalRepoId
     );
 
+    @Query("SELECT b FROM VcsRepoBinding b " +
+           "LEFT JOIN FETCH b.project " +
+           "LEFT JOIN FETCH b.vcsConnection " +
+           "WHERE b.provider = :provider AND b.externalRepoSlug = :repoSlug")
+    Optional<VcsRepoBinding> findByProviderAndExternalRepoSlugWithDetails(
+            @Param("provider") EVcsProvider provider,
+            @Param("repoSlug") String repoSlug
+    );
+
     @Query("SELECT b FROM VcsRepoBinding b " +
            "LEFT JOIN FETCH b.project " +
            "WHERE b.vcsConnection.id = :connectionId")
diff --git a/java-ecosystem/services/pipeline-agent/src/main/java/org/rostilos/codecrow/pipelineagent/generic/webhookhandler/WebhookProjectResolver.java b/java-ecosystem/services/pipeline-agent/src/main/java/org/rostilos/codecrow/pipelineagent/generic/webhookhandler/WebhookProjectResolver.java
@@ -10,7 +10,6 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Service;
 
-import java.security.GeneralSecurityException;
 import java.util.Optional;
 
 /**
@@ -47,7 +46,20 @@ public WebhookProjectResolver(
     public Optional<Project> findProjectByExternalRepo(EVcsProvider provider, String externalRepoId) {
         log.debug("Looking up project for provider={}, externalRepoId={}", provider, externalRepoId);
         
-        return bindingRepository.findByProviderAndExternalRepoIdWithDetails(provider, externalRepoId)
+        // Primary lookup by UUID-based external repo ID
+        Optional<Project> result = bindingRepository.findByProviderAndExternalRepoIdWithDetails(provider, externalRepoId)
+                .flatMap(binding -> {
+                    Long projectId = binding.getProject().getId();
+                    return projectRepository.findByIdWithFullDetails(projectId);
+                });
+        
+        if (result.isPresent()) {
+            return result;
+        }
+        
+        // Fallback: try slug-based lookup for older bindings that stored slug as externalRepoId
+        log.debug("UUID lookup failed, trying slug-based fallback for provider={}, repoId={}", provider, externalRepoId);
+        return bindingRepository.findByProviderAndExternalRepoSlugWithDetails(provider, externalRepoId)
                 .flatMap(binding -> {
                     Long projectId = binding.getProject().getId();
                     return projectRepository.findByIdWithFullDetails(projectId);
@@ -77,12 +89,17 @@ public boolean validateWebhookAuth(Project project, String authToken) {
         if (project.getAuthToken() == null || authToken == null) {
             return false;
         }
+        String storedToken = project.getAuthToken();
+
+        // Try decrypting first (new encrypted tokens)
         try {
-            String decryptedToken = tokenEncryptionService.decrypt(project.getAuthToken());
+            String decryptedToken = tokenEncryptionService.decrypt(storedToken);
             return decryptedToken.equals(authToken);
-        } catch (GeneralSecurityException e) {
-            log.error("Failed to decrypt auth token for project {}", project.getId(), e);
-            return false;
+        } catch (Exception e) {
+            // Decryption failed — token is likely stored as plaintext (legacy).
+            // Fall back to direct comparison.
+            log.debug("Token decryption failed for project {} — trying plaintext comparison", project.getId());
+            return storedToken.equals(authToken);
         }
     }
     
diff --git a/java-ecosystem/services/web-server/src/main/java/org/rostilos/codecrow/webserver/project/service/ProjectService.java b/java-ecosystem/services/web-server/src/main/java/org/rostilos/codecrow/webserver/project/service/ProjectService.java
@@ -1014,13 +1014,14 @@ private String generateWebhookUrl(EVcsProvider provider, Project project) {
         String base = (urls.webhookBaseUrl() != null && !urls.webhookBaseUrl().isBlank())
                 ? urls.webhookBaseUrl()
                 : urls.baseUrl();
-        // Decrypt the stored token to get the URL-safe plaintext for the webhook path
+        // Try decrypting the stored token; fall back to raw value for legacy plaintext tokens
         String plainToken;
         try {
             plainToken = tokenEncryptionService.decrypt(project.getAuthToken());
-        } catch (GeneralSecurityException e) {
-            log.error("Failed to decrypt auth token for project {}", project.getId(), e);
-            throw new IllegalStateException("Cannot generate webhook URL: auth token decryption failed");
+        } catch (Exception e) {
+            // Token is likely already plaintext (legacy) — use as-is
+            log.debug("Token decryption failed for project {} — using raw token", project.getId());
+            plainToken = project.getAuthToken();
         }
         return base + "/api/webhooks/" + provider.getId() + "/" + plainToken;
     }
