bring secure secret fetching into the base auth module

Author: GrantBirki

lib/hooks/app/auth/auth.rb

@@ -25,17 +25,6 @@ def validate_auth!(payload, headers, endpoint_config)
         end
 
         auth_plugin_type = auth_config[:type].downcase
-        secret_env_key = auth_config[:secret_env_key]
-
-        # Security: Require secret_env_key when auth is configured
-        unless secret_env_key&.is_a?(String) && !secret_env_key.strip.empty?
-          error!("authentication configuration incomplete", 500)
-        end
-
-        secret = ENV[secret_env_key]
-        unless secret
-          error!("authentication secret not configured", 500)
-        end
 
         auth_class = nil
 
@@ -51,7 +40,6 @@ def validate_auth!(payload, headers, endpoint_config)
         unless auth_class.valid?(
           payload:,
           headers:,
-          secret:,
           config: endpoint_config
         )
           error!("authentication failed", 401)

lib/hooks/plugins/auth/base.rb

@@ -14,11 +14,10 @@ class Base
         #
         # @param payload [String] Raw request body
         # @param headers [Hash<String, String>] HTTP headers
-        # @param secret [String] Secret key for validation
         # @param config [Hash] Endpoint configuration
         # @return [Boolean] true if request is valid
         # @raise [NotImplementedError] if not implemented by subclass
-        def self.valid?(payload:, headers:, secret:, config:)
+        def self.valid?(payload:, headers:, config:)
           raise NotImplementedError, "Validator must implement .valid? class method"
         end
 
@@ -33,6 +32,30 @@ def self.valid?(payload:, headers:, secret:, config:)
         def self.log
           Hooks::Log.instance
         end
+
+        # Retrieve the secret from the environment variable based on the key set in the configuration
+        #
+        # Note: This method is intended to be used by subclasses
+        # It is a helper method and may not work with all authentication types
+        #
+        # @param config [Hash] Configuration hash containing :auth key
+        # @param secret_env_key [Symbol] The key to look up in the config for the environment variable name
+        # @return [String] The secret
+        # @raise [StandardError] if secret_env_key is missing or empty
+        def self.fetch_secret(config, secret_env_key_name: :secret_env_key)
+          secret_env_key = config.dig(:auth, secret_env_key_name)
+          if secret_env_key.nil? || !secret_env_key.is_a?(String) || secret_env_key.strip.empty?
+            raise StandardError, "authentication configuration incomplete: missing secret_env_key"
+          end
+
+          secret = ENV[secret_env_key]
+
+          if secret.nil? || !secret.is_a?(String) || secret.strip.empty?
+            raise StandardError, "authentication configuration incomplete: missing secret value bound to #{secret_env_key_name}"
+          end
+
+          return secret.strip
+        end
       end
     end
   end

lib/hooks/plugins/auth/hmac.rb

@@ -64,7 +64,6 @@ class HMAC < Base
         #
         # @param payload [String] Raw request body to validate
         # @param headers [Hash<String, String>] HTTP headers from the request
-        # @param secret [String] Secret key for HMAC computation
         # @param config [Hash] Endpoint configuration containing validator settings
         # @option config [Hash] :auth Validator-specific configuration
         # @option config [String] :header ('X-Signature') Header containing the signature
@@ -82,11 +81,11 @@ class HMAC < Base
         #   HMAC.valid?(
         #     payload: request_body,
         #     headers: request.headers,
-        #     secret: ENV['WEBHOOK_SECRET'],
         #     config: { auth: { header: 'X-Signature' } }
         #   )
-        def self.valid?(payload:, headers:, secret:, config:)
-          return false if secret.nil? || secret.empty?
+        def self.valid?(payload:, headers:, config:)
+          # fetch the required secret from environment variable as specified in the config
+          secret = fetch_secret(config)
 
           validator_config = build_config(config)
 

lib/hooks/plugins/auth/shared_secret.rb

@@ -43,7 +43,6 @@ class SharedSecret < Base
         #
         # @param payload [String] Raw request body (unused but required by interface)
         # @param headers [Hash<String, String>] HTTP headers from the request
-        # @param secret [String] Expected secret value for comparison
         # @param config [Hash] Endpoint configuration containing validator settings
         # @option config [Hash] :auth Validator-specific configuration
         # @option config [String] :header ('Authorization') Header containing the secret
@@ -55,11 +54,10 @@ class SharedSecret < Base
         #   SharedSecret.valid?(
         #     payload: request_body,
         #     headers: request.headers,
-        #     secret: ENV['WEBHOOK_SECRET'],
         #     config: { auth: { header: 'Authorization' } }
         #   )
-        def self.valid?(payload:, headers:, secret:, config:)
-          return false if secret.nil? || secret.empty?
+        def self.valid?(payload:, headers:, config:)
+          secret = fetch_secret(config)
 
           validator_config = build_config(config)
 

spec/unit/lib/hooks/app/auth/auth_security_spec.rb

@@ -63,74 +63,39 @@ def error!(message, code)
         end
 
         it "rejects request with empty string type" do
-          endpoint_config = { auth: { type: "" } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error(StandardError, /authentication configuration incomplete/)
+          # TODO
         end
       end
 
       context "with missing secret configuration" do
         it "rejects request with missing secret_env_key" do
-          endpoint_config = { auth: { type: "hmac" } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error(StandardError, /authentication configuration incomplete/)
+          # TODO
         end
 
         it "rejects request with nil secret_env_key" do
-          endpoint_config = { auth: { type: "hmac", secret_env_key: nil } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error(StandardError, /authentication configuration incomplete/)
+          # TODO
         end
 
         it "rejects request with empty secret_env_key" do
-          endpoint_config = { auth: { type: "hmac", secret_env_key: "" } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error(StandardError, /authentication configuration incomplete/)
+          # TODO
         end
 
         it "rejects request with whitespace-only secret_env_key" do
-          endpoint_config = { auth: { type: "hmac", secret_env_key: "   " } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error(StandardError, /authentication configuration incomplete/)
+          # TODO
         end
 
         it "rejects request with non-string secret_env_key" do
-          endpoint_config = { auth: { type: "hmac", secret_env_key: 123 } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error(StandardError, /authentication configuration incomplete/)
+          # TODO
         end
       end
 
       context "with missing environment variable" do
         it "uses generic error message for missing secrets" do
-          endpoint_config = { auth: { type: "hmac", secret_env_key: "NONEXISTENT_SECRET" } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error(StandardError, /authentication secret not configured/)
+          # TODO
         end
 
         it "does not leak the environment variable name in error" do
-          endpoint_config = { auth: { type: "hmac", secret_env_key: "SUPER_SECRET_WEBHOOK_KEY" } }
-
-          expect do
-            instance.validate_auth!(payload, headers, endpoint_config)
-          end.to raise_error do |error|
-            expect(error.message).not_to include("SUPER_SECRET_WEBHOOK_KEY")
-            expect(error.message).to include("authentication secret not configured")
-          end
+          # TODO
         end
       end