internal endpoints part 2 (#2322)

breardon2011 · web-flow · commit 263f8ac562cc · 2025-10-15T15:41:59.000-07:00
* changes

* read and write working

* add lightstream example

* query wip

* EOD wip

* add db types, modular bucket, auth

* remove duplicates

* remove noop store

* remove unit ls-fast test command

* remove units fast from the client

* remove WAL setup

* remove unnecessary

* adjust auth

* wip - mssql fix

* enable NULL for lock time

* some changes to documentation

* Test Suite for query engine, adjustments to stores

Discovered a flaw in sqlstore's handling of wildcard perms during testing, adjusted
Adjustd the s3 store to enable testing with this definition instead of separate mock

Added tests for different aspects of the query engine, especially rbac and unit management.

* fix docker warnings and build fail

* add missing syncs for rbac

* adjust docs, silence SQL logs, check for existence before sync

* adjust docs - PATH to DB_PATH, add prefix

* refactor with repository in mind

* add webhook auth, internal routing

* some how have double models.go after merging

* add constant time check, verify org, other corrections

* revert, other adjustments

* restore from develop

* remove comment

* change webhook secrete to opentaco_enable_internal_endpoints

* change the routes to be prefixed as internal/api/* and update comments

* generated files

* revert
diff --git a/taco/internal/api/internal.go b/taco/internal/api/internal.go
@@ -15,9 +15,9 @@ import (
 
 
 func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
-	webhookSecret := os.Getenv("OPENTACO_WEBHOOK_SECRET")
+	webhookSecret := os.Getenv("OPENTACO_ENABLE_INTERNAL_ENDPOINTS")
 	if webhookSecret == "" {
-		log.Println("OPENTACO_WEBHOOK_SECRET not configured, skipping internal routes")
+		log.Println("OPENTACO_ENABLE_INTERNAL_ENDPOINTS not configured, skipping internal routes")
 		return
 	}
 
@@ -33,7 +33,7 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 	}
 
 	// Create internal group with webhook auth (with orgRepo for existence check)
-	internal := e.Group("/internal")
+	internal := e.Group("/internal/api")
 	internal.Use(middleware.WebhookAuth(orgRepo))
 
 	// Organization and User management endpoints
@@ -51,8 +51,8 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 		internal.GET("/users/:subject", orgHandler.GetUser)
 		internal.GET("/users", orgHandler.ListUsers)
 		
-		log.Println("Organization management endpoints registered at /internal/orgs")
-		log.Println("User management endpoints registered at /internal/users")
+		log.Println("Organization management endpoints registered at /internal/api/orgs")
+		log.Println("User management endpoints registered at /internal/api/users")
 	} else {
 		log.Println("Warning: Could not create org/user repositories, endpoints disabled")
 	}
@@ -67,7 +67,7 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 		rbacGroup.GET("/permissions", rbacHandler.ListPermissions)
 		rbacGroup.POST("/assign", rbacHandler.AssignRole)
 		rbacGroup.POST("/revoke", rbacHandler.RevokeRole)
-		log.Println("RBAC management endpoints registered at /internal/rbac")
+		log.Println("RBAC management endpoints registered at /internal/api/rbac")
 	}
 
 	orgService := domain.NewOrgService()
@@ -151,7 +151,7 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 		return c.JSON(http.StatusOK, info)
 	})
 
-	log.Printf("Internal routes registered at /internal/* with webhook authentication")
+	log.Printf("Internal routes registered at /internal/api/* with webhook authentication")
 }
 
 // wrapWithWebhookRBAC wraps a handler with RBAC permission checking
diff --git a/taco/internal/api/routes.go b/taco/internal/api/routes.go
@@ -275,6 +275,6 @@ func RegisterRoutes(e *echo.Echo, deps Dependencies) {
 		})
 	})
 
-	// Register webhook-authenticated internal routes (if OPENTACO_WEBHOOK_SECRET is set)
+	// Register webhook-authenticated internal routes (if OPENTACO_ENABLE_INTERNAL_ENDPOINTS is set)
 	RegisterInternalRoutes(e, deps)
 }
diff --git a/taco/internal/middleware/webhook.go b/taco/internal/middleware/webhook.go
@@ -23,11 +23,11 @@ import (
 func WebhookAuth(orgRepo domain.OrganizationRepository) echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			webhookSecret := os.Getenv("OPENTACO_WEBHOOK_SECRET")
+			webhookSecret := os.Getenv("OPENTACO_ENABLE_INTERNAL_ENDPOINTS")
 			
 			// If no webhook secret is configured, deny access
 			if webhookSecret == "" {
-				slog.Error("Critical - webhook middleware called but OPENTACO_WEBHOOK_SECRET not configured")
+				slog.Error("Critical - webhook middleware called but OPENTACO_ENABLE_INTERNAL_ENDPOINTS not configured")
 				return c.JSON(http.StatusInternalServerError, map[string]string{
 					"error": "webhook authentication not configured",
 				})

Original file line number	Diff line number	Diff line change
`@@ -275,6 +275,6 @@ func RegisterRoutes(e *echo.Echo, deps Dependencies) {`
`275`	`275`	`})`
`276`	`276`	`})`
`277`	`277`
`278`		`- // Register webhook-authenticated internal routes (if OPENTACO_WEBHOOK_SECRET is set)`
	`278`	`+ // Register webhook-authenticated internal routes (if OPENTACO_ENABLE_INTERNAL_ENDPOINTS is set)`
`279`	`279`	`RegisterInternalRoutes(e, deps)`
`280`	`280`	`}`