From e930aa128f3aabf9ee41c8ce392c81e5ffe6e5b1 Mon Sep 17 00:00:00 2001
From: Qiao Han <qiao@supabase.io>
Date: Tue, 10 Dec 2024 16:25:45 +0800
Subject: [PATCH] fix: enforce auth hook secrets conform to standard webhooks

---
 pkg/config/config.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index 6b8306ba5..83eefa445 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -965,6 +965,8 @@ func (h *hook) validate() error {
 	return h.SendEmail.validate("send_email")
 }
 
+var hookSecretPattern = regexp.MustCompile(`^v1,whsec_[A-Za-z0-9+/=]{32,88}$`)
+
 func (h *hookConfig) validate(hookType string) (err error) {
 	// If not enabled do nothing
 	if !h.Enabled {
@@ -984,12 +986,17 @@ func (h *hookConfig) validate(hookType string) (err error) {
 		} else if h.Secrets, err = maybeLoadEnv(h.Secrets); err != nil {
 			return err
 		}
+		for _, secret := range strings.Split(h.Secrets, "|") {
+			if !hookSecretPattern.MatchString(secret) {
+				return errors.Errorf(`Invalid hook config: auth.hook.%s.secrets must be formatted as "v1,whsec_<base64_encoded_secret>"`, hookType)
+			}
+		}
 	case "pg-functions":
 		if len(h.Secrets) > 0 {
 			return errors.Errorf("Invalid hook config: auth.hook.%s.secrets is unsupported for pg-functions URI", hookType)
 		}
 	default:
-		return errors.Errorf("Invalid hook config: auth.hook.%v should be a HTTP, HTTPS, or pg-functions URI", hookType)
+		return errors.Errorf("Invalid hook config: auth.hook.%s.uri should be a HTTP, HTTPS, or pg-functions URI", hookType)
 	}
 	return nil
 }