feat: protect github route with secret too

prod.env

@@ -2,4 +2,6 @@ LOG_TOKEN="op://Environment Variables - Naomi/Alert Server/api_auth"
 BOT_TOKEN="op://Environment Variables - Naomi/Amari/bot token"
 GH_CLIENT_ID="op://Environment Variables - Naomi/Amari/gh client id"
 GH_CLIENT_SECRET="op://Environment Variables - Naomi/Amari/gh client secret"
-GH_PRIVATE_KEY="op://Environment Variables - Naomi/Amari/gh private key"
+GH_PRIVATE_KEY="op://Environment Variables - Naomi/Amari/gh private key"
+GH_WEBHOOK_SECRET="op://Environment Variables - Naomi/Amari/gh webhook secret"
+BASEROW_SECRET="op://Environment Variables - Naomi/Amari/baserow hook auth"

src/modules/processGitHubEvent.ts

@@ -25,13 +25,23 @@ const isPull = (body: GithubPayload): body is PullRequestCreated => {
  * @param request - The Fastify request payload.
  * @param response - The Fastify reply class.
  */
-// eslint-disable-next-line max-statements -- STFU.
+// eslint-disable-next-line max-statements, max-lines-per-function -- STFU.
 export const processGithubEvent = async(
   amari: Amari,
-  // eslint-disable-next-line @typescript-eslint/naming-convention -- Fastify standard.
+  request: FastifyRequest<{
-  request: FastifyRequest<{ Body: GithubPayload }>,
+    // eslint-disable-next-line @typescript-eslint/naming-convention -- Fastify standard.
+    Body:        GithubPayload;
+    // eslint-disable-next-line @typescript-eslint/naming-convention -- Fastify standard.
+    Querystring: { secret: string };
+  }>,
   response: FastifyReply,
 ): Promise<void> => {
+  const { secret } = request.query;
+  if (secret !== process.env.GH_WEBHOOK_SECRET) {
+    await response.status(403).send({
+      message: "Invalid secret provided!",
+    });
+  }
   const event = request.headers["x-github-event"];
   if (typeof event !== "string") {
     await response.status(400).

src/server/serve.ts

@@ -57,6 +57,7 @@ const html = `<!DOCTYPE html>
  * Starts up a web server for health monitoring.
  * @param amari - Amari's instance.
  */
+// eslint-disable-next-line max-lines-per-function -- STFU.
 export const instantiateServer = (amari: Amari): void => {
   try {
     const server = fastify({
@@ -68,18 +69,21 @@ export const instantiateServer = (amari: Amari): void => {
       response.send(html);
     });
 
-    server.
+    server.post<{
+    // eslint-disable-next-line @typescript-eslint/naming-convention -- Fastify standard.
+      Body:        GithubPayload;
       // eslint-disable-next-line @typescript-eslint/naming-convention -- Fastify standard.
-      post<{ Body: GithubPayload }>("/github", async(request, response) => {
+      Querystring: { secret: string };
-        try {
+    }>("/github", async(request, response) => {
-          await processGithubEvent(amari, request, response);
+      try {
-        } catch (error) {
+        await processGithubEvent(amari, request, response);
-          if (!(error instanceof Error)) {
+      } catch (error) {
-            return;
+        if (!(error instanceof Error)) {
-          }
+          return;
-          await logger.error("/github route", error);
         }
-      });
+        await logger.error("/github route", error);
+      }
+    });
 
     server.
       // eslint-disable-next-line @typescript-eslint/naming-convention -- Fastify standard.