Skip to content

Only handle task.created event #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 2, 2025
Merged

Only handle task.created event #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion app/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,13 @@ async def health_check():
@app.post("/automa")
async def automa_hook(request: Request):
signature = request.headers.get("webhook-signature")

payload = (await request.body()).decode("utf-8")
body = json.loads(payload)

# Skip if not `task.created` event
if "type" not in body or body["type"] != "task.created":
return Response(status_code=204)
Comment on lines +24 to +28
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The webhook signature verification should be performed before examining the event type. For security reasons, it's important to authenticate all incoming requests first before processing their content. Consider moving the event type check after line 31 where the signature has been verified. This ensures that only authenticated requests are processed, even if they're ultimately filtered out by event type.

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.


# Verify request
if not verify_webhook(env().automa_webhook_secret, signature, payload):
Expand All @@ -30,7 +36,6 @@ async def automa_hook(request: Request):
return Response(status_code=401)

base_url = request.headers.get("x-automa-server-host")
body = json.loads(payload)

# Create client with base URL
automa = AsyncAutoma(base_url=base_url)
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ requires-python = ">=3.11"
classifiers = ["Private :: Do Not Upload"]

dependencies = [
"automa-bot~=0.2.1",
"automa-bot~=0.2.3",
"fastapi-cli~=0.0.7",
"fastapi~=0.115.11",
"pydantic-settings~=2.8.1",
Expand Down
16 changes: 15 additions & 1 deletion tests/test_automa.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,20 @@ def call_with_fixture(client, filename):
)


def test_non_task_created(client):
"""Test the Automa webhook endpoint with non task created event."""

headers = {}

response = client.post(
"/automa",
content=b'{ "id": "whmsg_1", "timestamp": "2025-05-30T09:30:06.261Z", "type": "proposal.rejected" }',
headers=headers,
)

assert response.status_code == 204


@pytest.mark.parametrize(
"signature",
[
Expand All @@ -43,7 +57,7 @@ def test_invalid_signature(client, signature):

response = client.post(
"/automa",
content=b'{ "id": "whmsg_1", "timestamp": "2025-05-30T09:30:06.261Z" }',
content=b'{ "id": "whmsg_1", "timestamp": "2025-05-30T09:30:06.261Z", "type": "task.created" }',
headers=headers,
)

Expand Down
Loading