WebhookEngine v0.2.1

WebhookEngine v0.2.1

Patch release closing the v0.2.0 portal audit follow-up: three P0 security hardening fixes, 23 new tests filling the portal coverage gaps, four P1 behaviour corrections, two ADRs locking in portal architecture decisions, full API and architecture documentation for the portal stack, and build hygiene (Docker Hub sync hard-failure, comment-noise removal).

Features / Fixes / Changes

Security

• Portal rate-limit enforcement on mutating routes. PortalEndpointsController now carries [EnableRateLimiting("send-by-appid")] at the controller level; a leaked portal token could previously spam /test (real outbound HTTP POST) without sharing the per-tenant rate-limit budget.
• JWT parser size cap — DoS amplification path closed. PortalTokenAuthMiddleware now rejects Bearer payloads larger than 8 KiB before the JWT parser runs (down from the .NET default ~250 KiB); oversized tokens return 401 immediately.
• PortalLookupCache atomic CTS swap — race window closed. Set now uses AddOrUpdate to atomically swap and dispose the previous CancellationTokenSource, preventing a racing InvalidateApplication from binding a fresh cache entry to a disposed token.
• Portal CORS preflight deny-cache. PortalCorsMiddleware now caches both allow and deny outcomes for the signing-key lookup TTL (default 60 s), removing a low-effort DB hammer vector from repeated OPTIONS against disallowed origins.

Behaviour

• PATCH /api/v1/portal/endpoints/{id} replaces PUT. The route's partial-replace semantics were always PATCH; the [HttpPut] attribute was a mislabel. The <EndpointManager /> component already issues PATCH.
• Portal disable preserves AllowedPortalOriginsJson. Disabling an app's portal now only revokes the signing key; the operator-curated CORS allowlist is kept so a re-enable does not require re-entering origins.
• Validator drift consolidated via EndpointValidationRules. Six shared extension methods replace per-validator duplicates across the four admin and two portal endpoint validators — a single source of truth for rule tightening going forward.
• npm publish workflow (publish-portal.yml). Fires on portal-v* tags; publishes @webhookengine/endpoint-manager with sigstore provenance and a private:true guard.

Tests

• 23 new tests closing v0.2.0 portal coverage gaps. PortalCorsMiddlewareTests (7 facts), PortalLookupCacheTests (5 facts), PortalOriginsAllowlistE2ETests (7 facts, Testcontainers against real PostgreSQL JSONB), plus cross-tenant guard and empty-capabilities defense-in-depth facts in PortalEndpointsControllerTests. Total test count: 279.

Docs

• docs/API.md §3.8 — Portal API reference. Covers HS256 JWT contract, capability scopes, per-app CORS, every /api/v1/portal/* route, the portal-specific error code table, and an end-to-end Node.js + cURL probe.
• docs/ARCHITECTURE.md §4.3 — Portal token authentication. Documents middleware ordering, PortalLookupCache TTL + atomic-CTS-swap behaviour, and JWT validator defense-in-depth choices.
• ADR-004 — Portal signing key storage. Locks in the plaintext varchar(64) decision, no-grace rotation lifecycle, and one-shot reveal contract.
• ADR-005 — Portal CORS preflight deny-cache TTL. Locks in the PortalAuth:LookupCacheTtlSeconds-symmetric TTL and documents why no synchronous invalidation hook is needed.
• docs/RELEASE.md §1 updated. DOCKERHUB_TOKEN now documents all three required scopes to eliminate the "release ran but Docker Hub overview is stale" debugging session.

Infrastructure / Build

• release.yml continue-on-error workaround removed. The Sync Docker Hub description step now hard-fails on scope misconfiguration instead of silently succeeding.
• samples/portal-host/ reference application added; docs/PORTAL.md §5 component usage section completed.
• Section-header comment noise removed (~30 lines of banner separators with no WHY content cleared from controllers and SDK models).

Quick Start

docker pull voyvodka/webhook-engine:0.2.1
git clone https://github.com/voyvodka/webhook-engine.git
cd webhook-engine
docker compose -f docker/docker-compose.yml up -d

Dashboard at http://localhost:5100 — login admin@example.com / changeme (reset before exposing publicly).

Links

• Docker Hub: voyvodka/webhook-engine:0.2.1 (multi-arch: linux/amd64 + linux/arm64)
• NuGet: WebhookEngine.Sdk 0.2.1
• Docs: docs/ — API, DATABASE, ARCHITECTURE, PORTAL, GETTING-STARTED, SELF-HOSTING, RELEASE
• Landing: webhook.sametozkan.com.tr
• Full changelog: CHANGELOG.md — 0.2.1 section