Skip to content

refactor(webhooks): make admin webhooks view-only, remove write actions#1754

Merged
rohanchkrabrty merged 4 commits into
mainfrom
feature/webhooks-view-only
Jul 15, 2026
Merged

refactor(webhooks): make admin webhooks view-only, remove write actions#1754
rohanchkrabrty merged 4 commits into
mainfrom
feature/webhooks-view-only

Conversation

@Shreyag02

@Shreyag02 Shreyag02 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Makes the admin console Webhooks page permanently view-only. All write actions (create, update, delete) are removed from the admin UI entirely — no config flag, no gating. The page now shows a read-only list of webhooks.

Changes

  • Removed the row Action menu (Update + Delete), the New Webhook button, and the create/update drawers.
  • Deleted the now-unused create/, update/, and delete/ components and the delete mutation from the query hook.
  • Simplified WebhooksView to a read-only table; its only prop is now icon.
  • Removed the dead webhooks/create and webhooks/:webhookId routes.
  • Dropped the webhooks UI config (enable_actions / enable_delete) from the admin app config types and dev config.

Technical Details

  • SDK (web/sdk/admin/views/webhooks/webhooks/): WebhooksView renders only the Description / State / URL / Created-at columns. getColumns() takes no arguments; useWebhookQueries exposes only the list query.
  • App (WebhooksPage.tsx, routes.tsx): renders <WebhooksView /> with just an icon; create/detail routes removed.
  • Config (constants.ts, configs.dev.json): WebhooksConfig and the webhooks block removed from the admin app.
  • Go server: unchanged. WebhooksConfig and the /configs webhooks response remain identical to main; the view-only scope is enforced entirely in the web layer.
  • Backend webhook RPCs (createWebhook / updateWebhook / deleteWebhook) are unchanged — only the admin UI surface was removed.

Test Plan

  • Manual testing — webhooks page loads as a read-only list; no write actions present.
  • Build and type checking — admin tsc + Vite production build, SDK tsup build, and ESLint all clean.

SQL Safety (if your PR touches *_repository.go or goqu.*)

N/A

@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontier Ready Ready Preview, Comment Jul 15, 2026 8:07am

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Caution

Review failed

An error occurred during the review process. Please try again later.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1


ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0445ed10-2956-4c1c-b75a-211d48b2d3bf

📥 Commits

Reviewing files that changed from the base of the PR and between cd6b070 and 68b0e3d.

📒 Files selected for processing (7)
  • pkg/server/config.go
  • pkg/server/server.go
  • web/apps/admin/configs.dev.json
  • web/apps/admin/src/pages/webhooks/WebhooksPage.tsx
  • web/apps/admin/src/utils/constants.ts
  • web/sdk/admin/views/webhooks/webhooks/columns.tsx
  • web/sdk/admin/views/webhooks/webhooks/index.tsx

Comment thread web/sdk/admin/views/webhooks/webhooks/columns.tsx Outdated
@coveralls

coveralls commented Jul 13, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 29399637566

Warning

Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes.
Quick fix: rebase this PR. Learn more →

Warning

No base build found for commit a41e92d on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 45.198%

Details

  • Patch coverage: No coverable lines changed in this PR.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →


Coverage Stats

Coverage Status
Relevant Lines: 37701
Covered Lines: 17040
Line Coverage: 45.2%
Coverage Strength: 12.69 hits per line

💛 - Coveralls

@Shreyag02 Shreyag02 changed the title feat(webhooks): make admin webhooks view-only via enable_actions flag refactor(webhooks): make admin webhooks view-only, remove write actions Jul 14, 2026
# Conflicts:
#	pkg/server/server.go
#	web/sdk/admin/views/webhooks/webhooks/delete/index.tsx

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
pkg/server/server.go (2)

307-308: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use structured logging fields.

Avoid string concatenation in log messages. Passing variables as structured fields makes logs easier to parse and query.

🛠️ Proposed fix
-	logger.Info("Graceful shutdown of " + name + " complete")
+	logger.Info("Graceful shutdown complete", "server", name)

100-103: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add ReadHeaderTimeout to prevent resource exhaustion.

The HTTP servers are constructed without read timeouts. A slow or malicious client can hold connections open indefinitely by sending headers slowly (Slowloris attack). Set ReadHeaderTimeout to bound the wait time for headers. Avoid setting ReadTimeout as it applies to the entire request body and could prematurely close legitimate long-lived streaming connections like gRPC/ConnectRPC.

  • pkg/server/server.go#L100-L103: Set ReadHeaderTimeout: 5 * time.Second on the UI server.
  • pkg/server/server.go#L223-L226: Set ReadHeaderTimeout: 5 * time.Second on the Connect server.

Source: Linters/SAST tools


ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0d27c68b-e1af-46ab-8031-781a872654e6

📥 Commits

Reviewing files that changed from the base of the PR and between ec9649d and 2cc05ab.

📒 Files selected for processing (3)
  • pkg/server/config.go
  • pkg/server/server.go
  • web/apps/admin/src/routes.tsx
🚧 Files skipped from review as they are similar to previous changes (2)
  • web/apps/admin/src/routes.tsx
  • pkg/server/config.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🧹 Nitpick comments (2)
pkg/server/server.go (2)

307-308: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use structured logging fields.

Avoid string concatenation in log messages. Passing variables as structured fields makes logs easier to parse and query.

🛠️ Proposed fix
-	logger.Info("Graceful shutdown of " + name + " complete")
+	logger.Info("Graceful shutdown complete", "server", name)

100-103: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add ReadHeaderTimeout to prevent resource exhaustion.

The HTTP servers are constructed without read timeouts. A slow or malicious client can hold connections open indefinitely by sending headers slowly (Slowloris attack). Set ReadHeaderTimeout to bound the wait time for headers. Avoid setting ReadTimeout as it applies to the entire request body and could prematurely close legitimate long-lived streaming connections like gRPC/ConnectRPC.

  • pkg/server/server.go#L100-L103: Set ReadHeaderTimeout: 5 * time.Second on the UI server.
  • pkg/server/server.go#L223-L226: Set ReadHeaderTimeout: 5 * time.Second on the Connect server.

Source: Linters/SAST tools


ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0d27c68b-e1af-46ab-8031-781a872654e6

📥 Commits

Reviewing files that changed from the base of the PR and between ec9649d and 2cc05ab.

📒 Files selected for processing (3)
  • pkg/server/config.go
  • pkg/server/server.go
  • web/apps/admin/src/routes.tsx
🚧 Files skipped from review as they are similar to previous changes (2)
  • web/apps/admin/src/routes.tsx
  • pkg/server/config.go
🛑 Comments failed to post (1)
pkg/server/server.go (1)

75-76: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Fix proxy path replacement and Host header.

Replacing all occurrences of /frontier-connect in the path could accidentally mutate legitimate downstream paths (e.g., if a resource or organization is named frontier-connect). Use strings.TrimPrefix to safely strip only the routing prefix.

Additionally, connectRemoteHost contains the http:// scheme, which will result in an invalid HTTP Host header. Use the parsed connectRemote.Host instead, which correctly provides the host:port string.

🛠️ Proposed fix
-			r.URL.Path = strings.Replace(r.URL.Path, "/frontier-connect", "", -1)
-			r.Host = connectRemoteHost
+			r.URL.Path = strings.TrimPrefix(r.URL.Path, "/frontier-connect")
+			r.Host = connectRemote.Host
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

			r.URL.Path = strings.TrimPrefix(r.URL.Path, "/frontier-connect")
			r.Host = connectRemote.Host

Comment thread pkg/server/server.go
Reverts the Go-side removal of WebhooksConfig/WebhooksConfigApiResponse so
pkg/server matches main; view-only scope is handled in the web layer.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rohanchkrabrty rohanchkrabrty merged commit da6059c into main Jul 15, 2026
8 checks passed
@rohanchkrabrty rohanchkrabrty deleted the feature/webhooks-view-only branch July 15, 2026 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants