add secret token support

vigo · vigo · commit fa59de885ae4 · 2025-02-02T00:19:33.000+03:00
diff --git a/README.md b/README.md
@@ -44,6 +44,10 @@ Usage of basichttpdebugger:
     	save filename format of raw http (default "%Y-%m-%d-%H%i%s-{hostname}-{url}.raw")
   -save-raw-http-request
     	enable saving of raw http request
+  -secret-token string
+    	your secret token value
+  -secret-token-header-name string
+    	name of your secret token header, e.g. X-Gitlab-Token
   -version
     	display version information
 ```
@@ -67,6 +71,14 @@ basichttpdebugger -listen ":8000" -hmac-secret "<secret>" -hmac-header-name "<X-
 basichttpdebugger -color -listen ":8000" -hmac-secret "<secret>" -hmac-header-name "<X-HEADER-NAME>"
 ```
 
+Instead of HMAC validation, you can check against secret token/secret token
+header name. Consider you are testing GitLab webhooks and you’ll receive
+`X-Gitlab-Token` with a value `test`:
+
+```bash
+basichttpdebugger -listen ":8000" -secret-token-header-name "X-Gitlab-Token" -secret-token "test"
+```
+
 Instead of standard output, pipe everything to file!
 
 ```bash
@@ -134,9 +146,13 @@ go run . -listen ":8000"  # listens at :8000
 # or if you have ruby installed, use rake tasks!
 rake                      # listens at :9002
 LISTEN=":8000" rake       # listens at :8000
+
 LISTEN=":8000" HMAC_SECRET="<secret>" HMAC_HEADER_NAME="<X-HEADER-NAME>" rake
 LISTEN=":8000" HMAC_SECRET="<secret>" HMAC_HEADER_NAME="<X-HEADER-NAME>" COLOR=1 rake
 LISTEN=":8000" HMAC_SECRET="<secret>" HMAC_HEADER_NAME="<X-HEADER-NAME>" OUTPUT="/tmp/foo" rake
+
+LISTEN=":8000" SECRET_TOKEN="<secret>" SECRET_TOKEN_HEADER_NAME="<X-HEADER-NAME>" rake
+
 SAVE_RAW_HTTP_REQUEST=t rake
 SAVE_RAW_HTTP_REQUEST=t SAVE_FORMAT="~/Desktop/%Y-%m-%d-%H%i%s-test.raw" rake
 ```
@@ -149,6 +165,8 @@ SAVE_RAW_HTTP_REQUEST=t SAVE_FORMAT="~/Desktop/%Y-%m-%d-%H%i%s-test.raw" rake
 |:-----|:---------------------|---------------|
 | `-hmac-header-name` | `HMAC_HEADER_NAME` | Not set |
 | `-hmac-secret` | `HMAC_SECRET` | Not set |
+| `-secret-token` | `SECRET_TOKEN` | Not set |
+| `-secret-token-header-name` | `SECRET_TOKEN_HEADER_NAME` | Not set |
 | `-color` | `COLOR` | `false` |
 | `-listen` | `LISTEN` | `:9002` |
 | `-output` | `OUTPUT` | `stdout` |
@@ -305,6 +323,16 @@ Here is how it looks, a GitHub webhook (trimmed, masked due to it’s huge/priva
     {"action":"created","issue":{"url": ...} ... }
     ----------------------------------------------------------------------------------------------------
 
+If you are checking secret token/secret token header (`test`, `X-Gitlab-Token`), 
+you’ll see something like this in Payload section:
+
+    +-----------------------------------+-----------------------------+
+    | Payload                                                         |                                                                                                                                    |
+    +-----------------------------------+-----------------------------+
+    | Secret Token                      | test                        |
+    | Secret Token Header Name          | X-Gitlab-Token              |
+    | Secret Token Matches?             | true                        |
+    +-----------------------------------+-----------------------------+
 
 ---
 
@@ -318,6 +346,7 @@ docker build -t <your-image> .
 docker run -p 9002:9002 <your-image>                  # run from default port
 docker run -p 8400:8400 <your-image> -listen ":8400"  # run from 8400
 docker run -p 8400:8400 <your-image> -listen ":8400" -hmac-secret "<secret>" -hmac-header-name "<X-HEADER-NAME>"
+docker run -p 8400:8400 <your-image> -listen ":8400" -secret-token "<secret>" -secret-token-header-name "<X-HEADER-NAME>"
 ```
 
 You can download/use from docker hub or ghcr:
@@ -334,6 +363,9 @@ docker run -p 8400:8400 vigo/basichttpdebugger -listen ":8400"    # run from 840
 # run from docker hub on port 9100 with hmac support
 docker run -p 9100:9100 vigo/basichttpdebugger -listen ":9100" -hmac-secret "<secret>" -hmac-header-name "<X-HEADER-NAME>"
 
+# run from docker hub on port 9100 with secret token/secret token header name support
+docker run -p 9100:9100 vigo/basichttpdebugger -listen ":9100" -secret-token "<secret>" -secret-token-header-name "<X-HEADER-NAME>"
+
 # run from ghcr on default port
 docker run -p 9002:9002 ghcr.io/vbyazilim/basichttpdebugger/basichttpdebugger:latest
 
@@ -363,6 +395,11 @@ rake test               # run test
 
 ## Change Log
 
+**2025-02-02**
+
+- improve `stringutils` tests
+- add secret token/secret token header name support
+
 **2024-12-24**
 
 - refactor from scratch
diff --git a/internal/httpserver/httpserver.go b/internal/httpserver/httpserver.go
@@ -56,6 +56,8 @@ type DebugServer struct {
 	HMACSecret                   string
 	HMACHeaderName               string
 	RawHTTPRequestFileSaveFormat string
+	SecretToken                  string
+	SecretTokenHeaderName        string
 	ReadTimeout                  time.Duration
 	ReadHeaderTimeout            time.Duration
 	WriteTimeout                 time.Duration
@@ -158,6 +160,21 @@ func WithHMACHeaderName(s string) Option {
 	}
 }
 
+// WithSecretToken sets the secret value for secret token.
+func WithSecretToken(s string) Option {
+	return func(d *DebugServer) {
+		d.SecretToken = s
+	}
+}
+
+// WithSecretTokenHeaderName sets secret token header name value, will check this
+// http header name in request header.
+func WithSecretTokenHeaderName(s string) Option {
+	return func(d *DebugServer) {
+		d.SecretTokenHeaderName = s
+	}
+}
+
 // WithColor enables/disables colorful output.
 func WithColor(b bool) Option {
 	return func(d *DebugServer) {
@@ -183,6 +200,8 @@ type debugHandlerOptions struct {
 	writer                       io.WriteCloser
 	hmacSecret                   string
 	hmacHeaderName               string
+	secretToken                  string
+	secretTokenHeaderName        string
 	rawHTTPRequestFileSaveFormat string
 	color                        bool
 	saveRawHTTPRequest           bool
@@ -277,6 +296,20 @@ func debugHandlerFunc(options *debugHandlerOptions) http.HandlerFunc {
 			}
 			defer func() { _ = r.Body.Close() }()
 
+			if options.secretToken != "" {
+				t.AppendRow(table.Row{"Secret Token", options.secretToken})
+			}
+			if options.secretTokenHeaderName != "" {
+				t.AppendRow(table.Row{"Secret Token Header Name", options.secretTokenHeaderName})
+			}
+
+			if options.secretToken != "" && options.secretTokenHeaderName != "" {
+				t.AppendRows([]table.Row{
+					{"Secret Token Matches?", r.Header.Get(options.secretTokenHeaderName) == options.secretToken},
+				})
+				t.AppendSeparator()
+			}
+
 			if options.hmacSecret != "" {
 				t.AppendRow(table.Row{"HMAC Secret", options.hmacSecret})
 			}
@@ -420,6 +453,8 @@ func New(options ...Option) (*DebugServer, error) {
 		writer:                       opts.OutputWriter,
 		hmacSecret:                   opts.HMACSecret,
 		hmacHeaderName:               opts.HMACHeaderName,
+		secretToken:                  opts.SecretToken,
+		secretTokenHeaderName:        opts.SecretTokenHeaderName,
 		color:                        opts.Color,
 		rawHTTPRequestFileSaveFormat: opts.RawHTTPRequestFileSaveFormat,
 		saveRawHTTPRequest:           opts.SaveRawHTTPRequest,
diff --git a/internal/httpserver/run.go b/internal/httpserver/run.go
@@ -14,18 +14,28 @@ import (
 
 const (
 	helpHMACHeaderName              = "name of your signature header, e.g. X-Hub-Signature-256"
+	helpSecretTokenHeaderName       = "name of your secret token header, e.g. X-Gitlab-Token"
 	defRawHTTPRequestFileSaveFormat = "%Y-%m-%d-%H%i%s-{hostname}-{url}.raw"
 )
 
 // Run creates server instance and runs.
 func Run() error {
 	listenAddr := flag.String("listen", envutils.GetenvOrDefault("LISTEN", defListenAddr), "listen addr")
+
+	hmacSecretValue := flag.String("hmac-secret", envutils.GetenvOrDefault("HMAC_SECRET", ""), "your HMAC secret value")
 	hmacHeaderName := flag.String(
 		"hmac-header-name",
 		envutils.GetenvOrDefault("HMAC_HEADER_NAME", ""),
 		helpHMACHeaderName,
 	)
-	hmacSecretValue := flag.String("hmac-secret", envutils.GetenvOrDefault("HMAC_SECRET", ""), "your HMAC secret value")
+
+	secretToken := flag.String("secret-token", envutils.GetenvOrDefault("SECRET_TOKEN", ""), "your secret token value")
+	secretTokenHeaderName := flag.String(
+		"secret-token-header-name",
+		envutils.GetenvOrDefault("SECRET_TOKEN_HEADER_NAME", ""),
+		helpSecretTokenHeaderName,
+	)
+
 	output := flag.String("output", envutils.GetenvOrDefault("OUTPUT", "stdout"), "output/write responses to")
 	color := flag.Bool("color", envutils.GetenvOrDefault("COLOR", false), "enable color")
 	saveRawHTTPRequest := flag.Bool(
@@ -51,6 +61,8 @@ func Run() error {
 		WithListenAddr(*listenAddr),
 		WithHMACHeaderName(*hmacHeaderName),
 		WithHMACSecret(*hmacSecretValue),
+		WithSecretToken(*secretToken),
+		WithSecretTokenHeaderName(*secretTokenHeaderName),
 		WithOutputWriter(*output),
 		WithColor(*color),
 		WithSaveRawHTTPRequest(*saveRawHTTPRequest),
