feat(webhook): check installation id against known integrations

Author: Ripwords

apps/dashboard/server/lib/github-webhook-auth.test.ts

@@ -1,7 +1,14 @@
 import { describe, test, expect } from "bun:test"
-import { checkBodySize, MAX_WEBHOOK_BODY_BYTES, recordDelivery } from "./github-webhook-auth"
+import {
+  checkBodySize,
+  MAX_WEBHOOK_BODY_BYTES,
+  recordDelivery,
+  isKnownInstallation,
+} from "./github-webhook-auth"
 import { db } from "../db"
 import { githubWebhookDeliveries } from "../db/schema/github-webhook-deliveries"
+import { githubIntegrations } from "../db/schema/github-integrations"
+import { projects } from "../db/schema/projects"
 import { eq } from "drizzle-orm"
 
 describe("checkBodySize", () => {
@@ -37,3 +44,27 @@ describe("recordDelivery", () => {
     await db.delete(githubWebhookDeliveries).where(eq(githubWebhookDeliveries.deliveryId, id))
   })
 })
+
+describe("isKnownInstallation", () => {
+  test("returns false when no row matches", async () => {
+    expect(await isKnownInstallation(999_999_999)).toBe(false)
+  })
+
+  test("returns true when a github_integrations row has the installation id", async () => {
+    const [project] = await db
+      .insert(projects)
+      .values({ name: "wh-auth-test", createdBy: "test-user" })
+      .returning()
+    const installationId = 42_000_000 + Math.floor(Math.random() * 1_000_000)
+    await db.insert(githubIntegrations).values({
+      projectId: project.id,
+      installationId,
+      repoOwner: "",
+      repoName: "",
+      status: "connected",
+    })
+    expect(await isKnownInstallation(installationId)).toBe(true)
+    await db.delete(githubIntegrations).where(eq(githubIntegrations.projectId, project.id))
+    await db.delete(projects).where(eq(projects.id, project.id))
+  })
+})