bug: unregistered tokens fire global fallback webhook #23
Description
Problem
When a request hits /c/{token} with a token that passes format validation but isn't registered in the database, the server still fires an alert to the global fallback webhook (cfg.WebhookURL).
Root cause
In processAlert:
webhookURL := s.cfg.WebhookURL // global fallback
if reg != nil && reg.WebhookURL != "" && reg.WebhookURL != "use-global" {
webhookURL = reg.WebhookURL
}
if webhookURL != "" {
deliverWebhook(webhookURL, e, reg)
}When reg == nil (token not found), the fallback is used unconditionally. Any token-shaped URL path that passes the regex (^[a-zA-Z0-9_-]{8,80}$) will trigger a webhook delivery.
Observed behavior
GET /c/agent-01-passes the regex (9 valid chars including trailing dash)- Token has no registration in DB →
reg == nil - Global webhook fires anyway
- Alert appears in Discord with no agent identifier (just the bare prefix)
Fix
Only fire the webhook if the token is actually registered:
if reg == nil {
log.Printf("CANARY_UNREGISTERED token=%s ip=%s — ignoring", token, ip)
return
}
webhookURL := s.cfg.WebhookURL
if reg.WebhookURL != "" && reg.WebhookURL != "use-global" {
webhookURL = reg.WebhookURL
}
if webhookURL != "" {
deliverWebhook(webhookURL, e, reg)
}Events can still be inserted for auditability, but unregistered tokens should never trigger webhook delivery.
Impact
- Alert fatigue / false positives from probe traffic
- Potential webhook spam from automated scanners probing URL patterns