Security updates for enabled owner repos and webhooks path (#73)

* Fix webhooks path

* Handle security for owner repos

prdeploy-api/src/PrDeploy.Api.Business/Services/OwnerRepoService.cs

@@ -1,3 +1,4 @@
+using System.Net;
 using PrDeploy.Api.Business.Security.Interfaces;
 using PrDeploy.Api.Business.Services.Interfaces;
 using PrDeploy.Api.Business.Stores.Interfaces;
@@ -83,6 +84,45 @@ public async Task<List<OwnerRepos>> ListEnabledAsync()
             await _parameterStore.SetAsync(OwnerReposKey, ownerRepos);
         }
 
-        return ownerRepos;
+
+        // If there are no repositories configured yet, then allow them to be set up.
+        if (ownerRepos.Count == 0)
+        {
+            return ownerRepos;
+        }
+
+        // Filter out all repositories without access,
+        // if there are none left, than access is forbidden.
+        var hasAuthorizedRepos = false;
+        var ownerReposList = new List<OwnerRepos>();
+        foreach (var ownerRepo in ownerRepos)
+        {
+            var authorizedOwnerRepos = new OwnerRepos
+            {
+                Owner = ownerRepo.Owner,
+                Repos = new List<string>()
+            };
+            foreach (var repo in ownerRepo.Repos)
+            {
+                if (await _gitHubSecurity.HasRepoAccessAsync(ownerRepo.Owner, repo))
+                {
+                    authorizedOwnerRepos.Repos.Add(repo);
+                }
+            }
+
+            if (authorizedOwnerRepos.Repos.Count > 0)
+            {
+                ownerReposList.Add(authorizedOwnerRepos);
+                hasAuthorizedRepos = true;
+            }
+        }
+
+        // If no repositories are authorized than access is denied.
+        if (!hasAuthorizedRepos)
+        {
+            throw new HttpRequestException("Access denied.", null, HttpStatusCode.Forbidden);
+        }
+
+        return ownerReposList;
     }
 }

prdeploy-app/src/app/auth/secure-redirect/secure-redirect.component.ts

@@ -22,6 +22,10 @@ export class SecureRedirectComponent {
 
   async redirectToOwnerRepo() {
     const response = await firstValueFrom(this._enabledOwnerReposGQL.fetch());
+    if (!response) {
+      return;
+    }
+
     const ownerRepos = response.data.enabledOwnerRepos;
     const hasRepos = await this._repoManager.updateOwnerRepos(ownerRepos);
     if (hasRepos && ownerRepos && ownerRepos.length > 0) {

prdeploy-app/src/app/shared/managers/repo.manager.ts

@@ -67,7 +67,10 @@ export class RepoManager {
   async fetchOwnerRepos() {
     const result = await firstValueFrom(this._enabledOwnerReposGQL.fetch());
     this._isLoaded = true;
-    this.updateOwnerRepos(result.data.enabledOwnerRepos);
+
+    if (result && result.data) {
+      this.updateOwnerRepos(result.data.enabledOwnerRepos);
+    }
   }
 
   updateOwnerRepos(ownerRepos: OwnerRepos[]) {

prdeploy-webhooks/.vscode/settings.json

@@ -24,5 +24,10 @@
       "**/package-lock.json": true
     },
     "files.eol": "\n",
-    "git.openRepositoryInParentFolders": "always"
+    "git.openRepositoryInParentFolders": "always",
+    "workbench.colorCustomizations": {
+        "activityBar.background": "#2B2D3B",
+        "titleBar.activeBackground": "#3C3E53",
+        "titleBar.activeForeground": "#FAFAFB"
+    }
   }

prdeploy-webhooks/src/app.ts

@@ -91,7 +91,7 @@ app.webhooks.onError(error => {
 // Launch a web server to listen for GitHub webhooks
 console.log('Binding server.');
 const port = process.env.PORT || 3000;
-const path = '/api/webhook';
+const path = '/webhooks';
 const localWebhookUrl = `http://localhost:${port}${path}`;
 
 const middleware = createNodeMiddleware(app.webhooks, { path });