Skip to content

hookdrop CLI (V1) + API tokens, ownership fix, mint rate-limit#20

Merged
EOEboh merged 4 commits into
mainfrom
cli
Jul 16, 2026
Merged

hookdrop CLI (V1) + API tokens, ownership fix, mint rate-limit#20
EOEboh merged 4 commits into
mainfrom
cli

Conversation

@EOEboh

@EOEboh EOEboh commented Jul 16, 2026

Copy link
Copy Markdown
Owner

Adds the hookdrop CLI (V1) and the backend/UI it needs.

Backend

  • Ownership enforcement on /events, /requests, /replay via ResolveIdentifierForUser (closes a cross-user IDOR; foreign resources 404)
  • API token system: hkdp_ tokens (SHA-256 stored), /tokens CRUD (JWT-only), /me, hkdp_ branch in auth middleware
  • POST /tokens rate-limited to 10/user/hour (429)

Web UI

  • /settings/tokens management page, /cli-auth browser-login page, Sidebar link, client methods

CLI (cli/, own pure-Go module)

  • login (browser + --token/--no-browser), logout, whoami, endpoints, listen --endpoint [--forward]
  • Hand-rolled SSE client with heartbeat watchdog + jittered reconnect; forwarder ports the replay engine's header rules (parity test)

Distribution

  • goreleaser (5 platforms), release + CI workflows, Homebrew tap, checksum-verifying install.sh

Verified end-to-end against a local backend (ownership 404s, token lifecycle, SSE streaming + forwarding, reconnect, revoke-mid-session).

Follow-ups deliberately deferred: entitlement enforcement (MaxRequestsPerMonth/MaxSecrets/HistoryDays/HasFiltering), replay-engine SSRF guard, and a verify-paystack entitlement bug found during review

EOEboh added 4 commits July 15, 2026 18:40
A stolen 30-day web JWT could otherwise be burst-replayed into many
long-lived hkdp_ tokens that outlive the JWT. Cap POST /tokens per user
using the existing string-keyed sliding-hour limiter (keyed by user ID),
returning 429 with Retry-After. List/revoke stay unthrottled.
Split the loopback callback server out of browserLogin into
waitForCallback so the state check, token delivery, and timeout can be
tested without opening a browser. Adds tests covering correct/wrong-state,
missing token, honored timeout, and distinct ports for concurrent logins
(the port-0 bind cannot collide).
The account can't run Actions, so the CI checks block PRs and the
tag-triggered release would fail the same way. Remove both workflows and
document running goreleaser locally with free PATs instead.
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Deploying hookdrop-frontend with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3398c40
Status: ✅  Deploy successful!
Preview URL: https://cfecf86d.hookdrop-frontend.pages.dev
Branch Preview URL: https://cli.hookdrop-frontend.pages.dev

View logs

@cloudflare-workers-and-pages

Copy link
Copy Markdown
Contributor

Deploying hookdrop with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3398c40
Status: ✅  Deploy successful!
Preview URL: https://d9d5cbad.hookdrop.pages.dev
Branch Preview URL: https://cli.hookdrop.pages.dev

View logs

@EOEboh
EOEboh merged commit 8822401 into main Jul 16, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant