From ad7d485eb5ec7f7556cad7a045431d015bd83947 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 13 Sep 2023 21:24:06 +0200
Subject: [PATCH 01/28] feat(webhooks): add basic crud actions for webhooks

---
 pkg/migration/20230913202615.go | 50 ++++++++++++++++++
 pkg/models/webhooks.go          | 94 +++++++++++++++++++++++++++++++++
 pkg/models/webhooks_rights.go   | 42 +++++++++++++++
 3 files changed, 186 insertions(+)
 create mode 100644 pkg/migration/20230913202615.go
 create mode 100644 pkg/models/webhooks.go
 create mode 100644 pkg/models/webhooks_rights.go

diff --git a/pkg/migration/20230913202615.go b/pkg/migration/20230913202615.go
new file mode 100644
index 00000000000..1df44f1e91b
--- /dev/null
+++ b/pkg/migration/20230913202615.go
@@ -0,0 +1,50 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package migration
+
+import (
+	"src.techknowlogick.com/xormigrate"
+	"time"
+	"xorm.io/xorm"
+)
+
+type webhooks20230913202615 struct {
+	ID          int64     `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
+	TargetURL   string    `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
+	Events      []string  `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"event"`
+	ProjectID   int64     `xorm:"not null" json:"project_id" param:"project"`
+	CreatedByID int64     `xorm:"bigint not null" json:"-"`
+	Created     time.Time `xorm:"created not null" json:"created"`
+	Updated     time.Time `xorm:"updated not null" json:"updated"`
+}
+
+func (webhooks20230913202615) TableName() string {
+	return "webhooks"
+}
+
+func init() {
+	migrations = append(migrations, &xormigrate.Migration{
+		ID:          "20230913202615",
+		Description: "",
+		Migrate: func(tx *xorm.Engine) error {
+			return tx.Sync2(webhooks20230913202615{})
+		},
+		Rollback: func(tx *xorm.Engine) error {
+			return nil
+		},
+	})
+}
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
new file mode 100644
index 00000000000..561b7a3611e
--- /dev/null
+++ b/pkg/models/webhooks.go
@@ -0,0 +1,94 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package models
+
+import (
+	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/web"
+	"time"
+	"xorm.io/xorm"
+)
+
+type Webhook struct {
+	ID        int64    `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
+	TargetURL string   `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
+	Events    []string `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"event"`
+	ProjectID int64    `xorm:"not null" json:"project_id" param:"project"`
+
+	// The user who initially created the webhook target.
+	CreatedBy   *user.User `xorm:"-" json:"created_by" valid:"-"`
+	CreatedByID int64      `xorm:"bigint not null" json:"-"`
+
+	// A timestamp when this webhook target was created. You cannot change this value.
+	Created time.Time `xorm:"created not null" json:"created"`
+	// A timestamp when this webhook target was last updated. You cannot change this value.
+	Updated time.Time `xorm:"updated not null" json:"updated"`
+
+	web.CRUDable `xorm:"-" json:"-"`
+	web.Rights   `xorm:"-" json:"-"`
+}
+
+func (w *Webhook) TableName() string {
+	return "webhooks"
+}
+
+func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
+	// TODO: check valid webhook events
+	w.CreatedByID = a.GetID()
+	_, err = s.Insert(w)
+	return
+}
+
+func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+	p := &Project{ID: w.ProjectID}
+	can, _, err := p.CanRead(s, a)
+	if err != nil {
+		return nil, 0, 0, err
+	}
+	if !can {
+		return nil, 0, 0, ErrGenericForbidden{}
+	}
+
+	ws := []*Webhook{}
+	err = s.Where("project_id = ?", w.ProjectID).
+		Limit(getLimitFromPageIndex(page, perPage)).
+		Find(&ws)
+	if err != nil {
+		return
+	}
+
+	total, err := s.Where("project_id = ?", w.ProjectID).
+		Count(&Webhook{})
+	if err != nil {
+		return
+	}
+
+	return ws, len(ws), total, err
+}
+
+func (w *Webhook) Update(s *xorm.Session, a web.Auth) (err error) {
+	// TODO validate webhook events
+	_, err = s.Where("id = ?", w.ID).
+		Cols("events").
+		Update(w)
+	return
+}
+
+func (w *Webhook) Delete(s *xorm.Session, a web.Auth) (err error) {
+	_, err = s.Where("id = ?", w.ID).Delete(&Webhook{})
+	return
+}
diff --git a/pkg/models/webhooks_rights.go b/pkg/models/webhooks_rights.go
new file mode 100644
index 00000000000..fed8483be20
--- /dev/null
+++ b/pkg/models/webhooks_rights.go
@@ -0,0 +1,42 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package models
+
+import (
+	"code.vikunja.io/web"
+	"xorm.io/xorm"
+)
+
+func (w *Webhook) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
+	p := &Project{ID: w.ProjectID}
+	return p.CanRead(s, a)
+}
+
+func (w *Webhook) CanDelete(s *xorm.Session, a web.Auth) (bool, error) {
+	p := &Project{ID: w.ProjectID}
+	return p.CanUpdate(s, a)
+}
+
+func (w *Webhook) CanUpdate(s *xorm.Session, a web.Auth) (bool, error) {
+	p := &Project{ID: w.ProjectID}
+	return p.CanUpdate(s, a)
+}
+
+func (w *Webhook) CanCreate(s *xorm.Session, a web.Auth) (bool, error) {
+	p := &Project{ID: w.ProjectID}
+	return p.CanUpdate(s, a)
+}

From e5b8d8bd2d629e363af5b069c2628d3df504ca21 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 13 Sep 2023 21:25:05 +0200
Subject: [PATCH 02/28] feat(webhooks): register task and project events as
 webhook

---
 pkg/models/events.go    | 72 ++++++++++++++++++++++++++++++++++++++---
 pkg/models/listeners.go | 36 +++++++++++++++++++++
 pkg/models/webhooks.go  | 22 +++++++++++++
 3 files changed, 126 insertions(+), 4 deletions(-)

diff --git a/pkg/models/events.go b/pkg/models/events.go
index fb75be8143b..467f8cf3ff5 100644
--- a/pkg/models/events.go
+++ b/pkg/models/events.go
@@ -36,6 +36,10 @@ func (t *TaskCreatedEvent) Name() string {
 	return "task.created"
 }
 
+func (t *TaskCreatedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskUpdatedEvent represents an event where a task has been updated
 type TaskUpdatedEvent struct {
 	Task *Task
@@ -47,6 +51,10 @@ func (t *TaskUpdatedEvent) Name() string {
 	return "task.updated"
 }
 
+func (t *TaskUpdatedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskDeletedEvent represents a TaskDeletedEvent event
 type TaskDeletedEvent struct {
 	Task *Task
@@ -58,6 +66,10 @@ func (t *TaskDeletedEvent) Name() string {
 	return "task.deleted"
 }
 
+func (t *TaskDeletedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskAssigneeCreatedEvent represents an event where a task has been assigned to a user
 type TaskAssigneeCreatedEvent struct {
 	Task     *Task
@@ -70,6 +82,10 @@ func (t *TaskAssigneeCreatedEvent) Name() string {
 	return "task.assignee.created"
 }
 
+func (t *TaskAssigneeCreatedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskAssigneeDeletedEvent represents a TaskAssigneeDeletedEvent event
 type TaskAssigneeDeletedEvent struct {
 	Task     *Task
@@ -82,6 +98,10 @@ func (t *TaskAssigneeDeletedEvent) Name() string {
 	return "task.assignee.deleted"
 }
 
+func (t *TaskAssigneeDeletedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskCommentCreatedEvent represents an event where a task comment has been created
 type TaskCommentCreatedEvent struct {
 	Task    *Task
@@ -94,6 +114,10 @@ func (t *TaskCommentCreatedEvent) Name() string {
 	return "task.comment.created"
 }
 
+func (t *TaskCommentCreatedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskCommentUpdatedEvent represents a TaskCommentUpdatedEvent event
 type TaskCommentUpdatedEvent struct {
 	Task    *Task
@@ -106,6 +130,10 @@ func (t *TaskCommentUpdatedEvent) Name() string {
 	return "task.comment.edited"
 }
 
+func (t *TaskCommentUpdatedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskCommentDeletedEvent represents a TaskCommentDeletedEvent event
 type TaskCommentDeletedEvent struct {
 	Task    *Task
@@ -118,6 +146,10 @@ func (t *TaskCommentDeletedEvent) Name() string {
 	return "task.comment.deleted"
 }
 
+func (t *TaskCommentDeletedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskAttachmentCreatedEvent represents a TaskAttachmentCreatedEvent event
 type TaskAttachmentCreatedEvent struct {
 	Task       *Task
@@ -130,6 +162,10 @@ func (t *TaskAttachmentCreatedEvent) Name() string {
 	return "task.attachment.created"
 }
 
+func (t *TaskAttachmentCreatedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskAttachmentDeletedEvent represents a TaskAttachmentDeletedEvent event
 type TaskAttachmentDeletedEvent struct {
 	Task       *Task
@@ -142,6 +178,10 @@ func (t *TaskAttachmentDeletedEvent) Name() string {
 	return "task.attachment.deleted"
 }
 
+func (t *TaskAttachmentDeletedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskRelationCreatedEvent represents a TaskRelationCreatedEvent event
 type TaskRelationCreatedEvent struct {
 	Task     *Task
@@ -154,6 +194,10 @@ func (t *TaskRelationCreatedEvent) Name() string {
 	return "task.relation.created"
 }
 
+func (t *TaskRelationCreatedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 // TaskRelationDeletedEvent represents a TaskRelationDeletedEvent event
 type TaskRelationDeletedEvent struct {
 	Task     *Task
@@ -166,6 +210,10 @@ func (t *TaskRelationDeletedEvent) Name() string {
 	return "task.relation.deleted"
 }
 
+func (t *TaskRelationDeletedEvent) ProjectID() int64 {
+	return t.Task.ProjectID
+}
+
 ////////////////////
 // Project Events //
 ////////////////////
@@ -188,10 +236,14 @@ type ProjectUpdatedEvent struct {
 }
 
 // Name defines the name for ProjectUpdatedEvent
-func (l *ProjectUpdatedEvent) Name() string {
+func (p *ProjectUpdatedEvent) Name() string {
 	return "project.updated"
 }
 
+func (p *ProjectUpdatedEvent) ProjectID() int64 {
+	return p.Project.ID
+}
+
 // ProjectDeletedEvent represents an event where a project has been deleted
 type ProjectDeletedEvent struct {
 	Project *Project
@@ -199,10 +251,14 @@ type ProjectDeletedEvent struct {
 }
 
 // Name defines the name for ProjectDeletedEvent
-func (t *ProjectDeletedEvent) Name() string {
+func (p *ProjectDeletedEvent) Name() string {
 	return "project.deleted"
 }
 
+func (p *ProjectDeletedEvent) ProjectID() int64 {
+	return p.Project.ID
+}
+
 ////////////////////
 // Sharing Events //
 ////////////////////
@@ -215,10 +271,14 @@ type ProjectSharedWithUserEvent struct {
 }
 
 // Name defines the name for ProjectSharedWithUserEvent
-func (l *ProjectSharedWithUserEvent) Name() string {
+func (p *ProjectSharedWithUserEvent) Name() string {
 	return "project.shared.user"
 }
 
+func (p *ProjectSharedWithUserEvent) ProjectID() int64 {
+	return p.Project.ID
+}
+
 // ProjectSharedWithTeamEvent represents an event where a project has been shared with a team
 type ProjectSharedWithTeamEvent struct {
 	Project *Project
@@ -227,10 +287,14 @@ type ProjectSharedWithTeamEvent struct {
 }
 
 // Name defines the name for ProjectSharedWithTeamEvent
-func (l *ProjectSharedWithTeamEvent) Name() string {
+func (p *ProjectSharedWithTeamEvent) Name() string {
 	return "project.shared.team"
 }
 
+func (p *ProjectSharedWithTeamEvent) ProjectID() int64 {
+	return p.Project.ID
+}
+
 /////////////////
 // Team Events //
 /////////////////
diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index fcc23179ee1..f0d41f703f1 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -65,6 +65,22 @@ func RegisterListeners() {
 		events.RegisterListener((&TaskDeletedEvent{}).Name(), &RemoveTaskFromTypesense{})
 		events.RegisterListener((&TaskCreatedEvent{}).Name(), &AddTaskToTypesense{})
 	}
+	RegisterEventForWebhook(&TaskCreatedEvent{})
+	RegisterEventForWebhook(&TaskUpdatedEvent{})
+	RegisterEventForWebhook(&TaskDeletedEvent{})
+	RegisterEventForWebhook(&TaskAssigneeCreatedEvent{})
+	RegisterEventForWebhook(&TaskAssigneeDeletedEvent{})
+	RegisterEventForWebhook(&TaskCommentCreatedEvent{})
+	RegisterEventForWebhook(&TaskCommentUpdatedEvent{})
+	RegisterEventForWebhook(&TaskCommentDeletedEvent{})
+	RegisterEventForWebhook(&TaskAttachmentCreatedEvent{})
+	RegisterEventForWebhook(&TaskAttachmentDeletedEvent{})
+	RegisterEventForWebhook(&TaskRelationCreatedEvent{})
+	RegisterEventForWebhook(&TaskRelationDeletedEvent{})
+	RegisterEventForWebhook(&ProjectUpdatedEvent{})
+	RegisterEventForWebhook(&ProjectDeletedEvent{})
+	RegisterEventForWebhook(&ProjectSharedWithUserEvent{})
+	RegisterEventForWebhook(&ProjectSharedWithTeamEvent{})
 }
 
 //////
@@ -609,6 +625,26 @@ func (s *SendProjectCreatedNotification) Handle(msg *message.Message) (err error
 	return nil
 }
 
+// WebhookListener represents a listener
+type WebhookListener struct {
+}
+
+// Name defines the name for the WebhookListener listener
+func (s *WebhookListener) Name() string {
+	return "webhook.listener"
+}
+
+// Handle is executed when the event WebhookListener listens on is fired
+func (s *WebhookListener) Handle(msg *message.Message) (err error) {
+	event := &ProjectUpdatedEvent{}
+	err = json.Unmarshal(msg.Payload, event)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 ///////
 // Team Events
 
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 561b7a3611e..38db349a51c 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -17,8 +17,10 @@
 package models
 
 import (
+	"code.vikunja.io/api/pkg/events"
 	"code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/web"
+	"sync"
 	"time"
 	"xorm.io/xorm"
 )
@@ -46,6 +48,26 @@ func (w *Webhook) TableName() string {
 	return "webhooks"
 }
 
+type WebhookEvent interface {
+	events.Event
+	ProjectID() int64
+}
+
+var availableWebhookEvents map[string]bool
+var availableWebhookEventsLock *sync.Mutex
+
+func init() {
+	availableWebhookEvents = make(map[string]bool)
+	availableWebhookEventsLock = &sync.Mutex{}
+}
+
+func RegisterEventForWebhook(event WebhookEvent) {
+	availableWebhookEventsLock.Lock()
+	defer availableWebhookEventsLock.Unlock()
+
+	availableWebhookEvents[event.Name()] = true
+}
+
 func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
 	// TODO: check valid webhook events
 	w.CreatedByID = a.GetID()

From c5de41f183122d106fb56134fddc6f8a6b7fdda4 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 13 Sep 2023 21:36:00 +0200
Subject: [PATCH 03/28] feat(webhooks): add event listener to send webhook
 payload

---
 pkg/models/listeners.go | 52 +++++++++++++++++++++++++++++++++++++----
 pkg/models/webhooks.go  |  3 +++
 2 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index f0d41f703f1..b443b22a098 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -17,8 +17,11 @@
 package models
 
 import (
+	"bytes"
 	"encoding/json"
+	"net/http"
 	"strconv"
+	"time"
 
 	"code.vikunja.io/api/pkg/config"
 
@@ -627,22 +630,63 @@ func (s *SendProjectCreatedNotification) Handle(msg *message.Message) (err error
 
 // WebhookListener represents a listener
 type WebhookListener struct {
+	EventName string
 }
 
 // Name defines the name for the WebhookListener listener
-func (s *WebhookListener) Name() string {
+func (wl *WebhookListener) Name() string {
 	return "webhook.listener"
 }
 
+type WebhookPayload struct {
+	EventName string       `json:"event_name"`
+	Time      time.Time    `json:"time"`
+	Data      WebhookEvent `json:"data"`
+}
+
 // Handle is executed when the event WebhookListener listens on is fired
-func (s *WebhookListener) Handle(msg *message.Message) (err error) {
-	event := &ProjectUpdatedEvent{}
+func (wl *WebhookListener) Handle(msg *message.Message) (err error) {
+	var event WebhookEvent
 	err = json.Unmarshal(msg.Payload, event)
 	if err != nil {
 		return err
 	}
 
-	return nil
+	s := db.NewSession()
+	defer s.Close()
+
+	ws := []*Webhook{}
+	err = s.Where("project_id = ?", event.ProjectID()).
+		Find(&ws)
+	if err != nil {
+		return err
+	}
+
+	var webhook *Webhook
+	for _, w := range ws {
+		for _, e := range w.Events {
+			if e == wl.EventName {
+				webhook = w
+				break
+			}
+		}
+
+	}
+
+	if webhook == nil {
+		return nil
+	}
+
+	payload, err := json.Marshal(WebhookPayload{
+		EventName: wl.EventName,
+		Time:      time.Now(),
+		Data:      event,
+	})
+	if err != nil {
+		return err
+	}
+	_, err = http.NewRequest(http.MethodPost, webhook.TargetURL, bytes.NewReader(payload))
+	return
 }
 
 ///////
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 38db349a51c..f3a99e4c7b4 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -66,6 +66,9 @@ func RegisterEventForWebhook(event WebhookEvent) {
 	defer availableWebhookEventsLock.Unlock()
 
 	availableWebhookEvents[event.Name()] = true
+	events.RegisterListener(event.Name(), &WebhookListener{
+		EventName: event.Name(),
+	})
 }
 
 func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {

From 7f3c300240f50984acb3496331da8d2e3a3ff278 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 13 Sep 2023 21:38:26 +0200
Subject: [PATCH 04/28] feat(webhooks): add routes

---
 pkg/routes/routes.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go
index c3428c47b32..0905d7bde8e 100644
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@@ -574,6 +574,17 @@ func registerAPIRoutes(a *echo.Group) {
 	a.GET("/tokens", apiTokenProvider.ReadAllWeb)
 	a.PUT("/tokens", apiTokenProvider.CreateWeb)
 	a.DELETE("/tokens/:token", apiTokenProvider.DeleteWeb)
+
+	// Webhooks
+	webhookProvider := &handler.WebHandler{
+		EmptyStruct: func() handler.CObject {
+			return &models.Webhook{}
+		},
+	}
+	a.GET("/project/:project/webhooks", webhookProvider.ReadAllWeb)
+	a.PUT("/project/:project/webhooks", webhookProvider.CreateWeb)
+	a.DELETE("/project/:project/webhooks/:webhook", webhookProvider.DeleteWeb)
+	a.POST("/project/:project/webhooks/:webhook", webhookProvider.UpdateWeb)
 }
 
 func registerMigrations(m *echo.Group) {

From 7d1c5c50c58dddf9131e8a2ba8f87306c0a858f1 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 11:16:07 +0200
Subject: [PATCH 05/28] feat(webhooks): add basic sending of webhooks

---
 pkg/models/events.go    | 106 ++++++++++++++++++++--------------------
 pkg/models/listeners.go |  40 ++++++++++++---
 2 files changed, 86 insertions(+), 60 deletions(-)

diff --git a/pkg/models/events.go b/pkg/models/events.go
index 467f8cf3ff5..b42f6d7ba1c 100644
--- a/pkg/models/events.go
+++ b/pkg/models/events.go
@@ -27,8 +27,8 @@ import (
 
 // TaskCreatedEvent represents an event where a task has been created
 type TaskCreatedEvent struct {
-	Task *Task
-	Doer *user.User
+	Task *Task      `json:"task"`
+	Doer *user.User `json:"doer"`
 }
 
 // Name defines the name for TaskCreatedEvent
@@ -42,8 +42,8 @@ func (t *TaskCreatedEvent) ProjectID() int64 {
 
 // TaskUpdatedEvent represents an event where a task has been updated
 type TaskUpdatedEvent struct {
-	Task *Task
-	Doer *user.User
+	Task *Task      `json:"task"`
+	Doer *user.User `json:"doer"`
 }
 
 // Name defines the name for TaskUpdatedEvent
@@ -57,8 +57,8 @@ func (t *TaskUpdatedEvent) ProjectID() int64 {
 
 // TaskDeletedEvent represents a TaskDeletedEvent event
 type TaskDeletedEvent struct {
-	Task *Task
-	Doer *user.User
+	Task *Task      `json:"task"`
+	Doer *user.User `json:"doer"`
 }
 
 // Name defines the name for TaskDeletedEvent
@@ -72,9 +72,9 @@ func (t *TaskDeletedEvent) ProjectID() int64 {
 
 // TaskAssigneeCreatedEvent represents an event where a task has been assigned to a user
 type TaskAssigneeCreatedEvent struct {
-	Task     *Task
-	Assignee *user.User
-	Doer     *user.User
+	Task     *Task      `json:"task"`
+	Assignee *user.User `json:"assignee"`
+	Doer     *user.User `json:"doer"`
 }
 
 // Name defines the name for TaskAssigneeCreatedEvent
@@ -88,9 +88,9 @@ func (t *TaskAssigneeCreatedEvent) ProjectID() int64 {
 
 // TaskAssigneeDeletedEvent represents a TaskAssigneeDeletedEvent event
 type TaskAssigneeDeletedEvent struct {
-	Task     *Task
-	Assignee *user.User
-	Doer     *user.User
+	Task     *Task      `json:"task"`
+	Assignee *user.User `json:"assignee"`
+	Doer     *user.User `json:"doer"`
 }
 
 // Name defines the name for TaskAssigneeDeletedEvent
@@ -104,9 +104,9 @@ func (t *TaskAssigneeDeletedEvent) ProjectID() int64 {
 
 // TaskCommentCreatedEvent represents an event where a task comment has been created
 type TaskCommentCreatedEvent struct {
-	Task    *Task
-	Comment *TaskComment
-	Doer    *user.User
+	Task    *Task        `json:"task"`
+	Comment *TaskComment `json:"comment"`
+	Doer    *user.User   `json:"doer"`
 }
 
 // Name defines the name for TaskCommentCreatedEvent
@@ -120,9 +120,9 @@ func (t *TaskCommentCreatedEvent) ProjectID() int64 {
 
 // TaskCommentUpdatedEvent represents a TaskCommentUpdatedEvent event
 type TaskCommentUpdatedEvent struct {
-	Task    *Task
-	Comment *TaskComment
-	Doer    *user.User
+	Task    *Task        `json:"task"`
+	Comment *TaskComment `json:"comment"`
+	Doer    *user.User   `json:"doer"`
 }
 
 // Name defines the name for TaskCommentUpdatedEvent
@@ -136,9 +136,9 @@ func (t *TaskCommentUpdatedEvent) ProjectID() int64 {
 
 // TaskCommentDeletedEvent represents a TaskCommentDeletedEvent event
 type TaskCommentDeletedEvent struct {
-	Task    *Task
-	Comment *TaskComment
-	Doer    *user.User
+	Task    *Task        `json:"task"`
+	Comment *TaskComment `json:"comment"`
+	Doer    *user.User   `json:"doer"`
 }
 
 // Name defines the name for TaskCommentDeletedEvent
@@ -152,9 +152,9 @@ func (t *TaskCommentDeletedEvent) ProjectID() int64 {
 
 // TaskAttachmentCreatedEvent represents a TaskAttachmentCreatedEvent event
 type TaskAttachmentCreatedEvent struct {
-	Task       *Task
-	Attachment *TaskAttachment
-	Doer       *user.User
+	Task       *Task           `json:"task"`
+	Attachment *TaskAttachment `json:"attachment"`
+	Doer       *user.User      `json:"doer"`
 }
 
 // Name defines the name for TaskAttachmentCreatedEvent
@@ -168,9 +168,9 @@ func (t *TaskAttachmentCreatedEvent) ProjectID() int64 {
 
 // TaskAttachmentDeletedEvent represents a TaskAttachmentDeletedEvent event
 type TaskAttachmentDeletedEvent struct {
-	Task       *Task
-	Attachment *TaskAttachment
-	Doer       *user.User
+	Task       *Task           `json:"task"`
+	Attachment *TaskAttachment `json:"attachment"`
+	Doer       *user.User      `json:"doer"`
 }
 
 // Name defines the name for TaskAttachmentDeletedEvent
@@ -184,9 +184,9 @@ func (t *TaskAttachmentDeletedEvent) ProjectID() int64 {
 
 // TaskRelationCreatedEvent represents a TaskRelationCreatedEvent event
 type TaskRelationCreatedEvent struct {
-	Task     *Task
-	Relation *TaskRelation
-	Doer     *user.User
+	Task     *Task         `json:"task"`
+	Relation *TaskRelation `json:"relation"`
+	Doer     *user.User    `json:"doer"`
 }
 
 // Name defines the name for TaskRelationCreatedEvent
@@ -200,9 +200,9 @@ func (t *TaskRelationCreatedEvent) ProjectID() int64 {
 
 // TaskRelationDeletedEvent represents a TaskRelationDeletedEvent event
 type TaskRelationDeletedEvent struct {
-	Task     *Task
-	Relation *TaskRelation
-	Doer     *user.User
+	Task     *Task         `json:"task"`
+	Relation *TaskRelation `json:"relation"`
+	Doer     *user.User    `json:"doer"`
 }
 
 // Name defines the name for TaskRelationDeletedEvent
@@ -220,8 +220,8 @@ func (t *TaskRelationDeletedEvent) ProjectID() int64 {
 
 // ProjectCreatedEvent represents an event where a project has been created
 type ProjectCreatedEvent struct {
-	Project *Project
-	Doer    *user.User
+	Project *Project   `json:"project"`
+	Doer    *user.User `json:"doer"`
 }
 
 // Name defines the name for ProjectCreatedEvent
@@ -231,8 +231,8 @@ func (l *ProjectCreatedEvent) Name() string {
 
 // ProjectUpdatedEvent represents an event where a project has been updated
 type ProjectUpdatedEvent struct {
-	Project *Project
-	Doer    web.Auth
+	Project *Project `json:"project"`
+	Doer    web.Auth `json:"doer"`
 }
 
 // Name defines the name for ProjectUpdatedEvent
@@ -246,8 +246,8 @@ func (p *ProjectUpdatedEvent) ProjectID() int64 {
 
 // ProjectDeletedEvent represents an event where a project has been deleted
 type ProjectDeletedEvent struct {
-	Project *Project
-	Doer    web.Auth
+	Project *Project `json:"project"`
+	Doer    web.Auth `json:"doer"`
 }
 
 // Name defines the name for ProjectDeletedEvent
@@ -265,9 +265,9 @@ func (p *ProjectDeletedEvent) ProjectID() int64 {
 
 // ProjectSharedWithUserEvent represents an event where a project has been shared with a user
 type ProjectSharedWithUserEvent struct {
-	Project *Project
-	User    *user.User
-	Doer    web.Auth
+	Project *Project   `json:"project"`
+	User    *user.User `json:"user"`
+	Doer    web.Auth   `json:"doer"`
 }
 
 // Name defines the name for ProjectSharedWithUserEvent
@@ -281,9 +281,9 @@ func (p *ProjectSharedWithUserEvent) ProjectID() int64 {
 
 // ProjectSharedWithTeamEvent represents an event where a project has been shared with a team
 type ProjectSharedWithTeamEvent struct {
-	Project *Project
-	Team    *Team
-	Doer    web.Auth
+	Project *Project `json:"project"`
+	Team    *Team    `json:"team"`
+	Doer    web.Auth `json:"doer"`
 }
 
 // Name defines the name for ProjectSharedWithTeamEvent
@@ -301,9 +301,9 @@ func (p *ProjectSharedWithTeamEvent) ProjectID() int64 {
 
 // TeamMemberAddedEvent defines an event where a user is added to a team
 type TeamMemberAddedEvent struct {
-	Team   *Team
-	Member *user.User
-	Doer   *user.User
+	Team   *Team      `json:"team"`
+	Member *user.User `json:"member"`
+	Doer   *user.User `json:"doer"`
 }
 
 // Name defines the name for TeamMemberAddedEvent
@@ -313,8 +313,8 @@ func (t *TeamMemberAddedEvent) Name() string {
 
 // TeamCreatedEvent represents a TeamCreatedEvent event
 type TeamCreatedEvent struct {
-	Team *Team
-	Doer web.Auth
+	Team *Team    `json:"team"`
+	Doer web.Auth `json:"doer"`
 }
 
 // Name defines the name for TeamCreatedEvent
@@ -324,8 +324,8 @@ func (t *TeamCreatedEvent) Name() string {
 
 // TeamDeletedEvent represents a TeamDeletedEvent event
 type TeamDeletedEvent struct {
-	Team *Team
-	Doer web.Auth
+	Team *Team    `json:"team"`
+	Doer web.Auth `json:"doer"`
 }
 
 // Name defines the name for TeamDeletedEvent
@@ -335,7 +335,7 @@ func (t *TeamDeletedEvent) Name() string {
 
 // UserDataExportRequestedEvent represents a UserDataExportRequestedEvent event
 type UserDataExportRequestedEvent struct {
-	User *user.User
+	User *user.User `json:"user"`
 }
 
 // Name defines the name for UserDataExportRequestedEvent
diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index b443b22a098..db6aa5a60a1 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -639,24 +639,43 @@ func (wl *WebhookListener) Name() string {
 }
 
 type WebhookPayload struct {
-	EventName string       `json:"event_name"`
-	Time      time.Time    `json:"time"`
-	Data      WebhookEvent `json:"data"`
+	EventName string      `json:"event_name"`
+	Time      time.Time   `json:"time"`
+	Data      interface{} `json:"data"`
+}
+
+func getProjectIDFromAnyEvent(eventPayload map[string]interface{}) int64 {
+	if task, has := eventPayload["task"]; has {
+		t := task.(map[string]interface{})
+		if projectID, has := t["project_id"]; has {
+			switch projectID.(type) {
+			case int64:
+				return projectID.(int64)
+			case float64:
+				return int64(projectID.(float64))
+			}
+			return projectID.(int64)
+		}
+	}
+
+	return 0
 }
 
 // Handle is executed when the event WebhookListener listens on is fired
 func (wl *WebhookListener) Handle(msg *message.Message) (err error) {
-	var event WebhookEvent
-	err = json.Unmarshal(msg.Payload, event)
+	var event map[string]interface{}
+	err = json.Unmarshal(msg.Payload, &event)
 	if err != nil {
 		return err
 	}
 
+	projectID := getProjectIDFromAnyEvent(event)
+
 	s := db.NewSession()
 	defer s.Close()
 
 	ws := []*Webhook{}
-	err = s.Where("project_id = ?", event.ProjectID()).
+	err = s.Where("project_id = ?", projectID).
 		Find(&ws)
 	if err != nil {
 		return err
@@ -685,7 +704,14 @@ func (wl *WebhookListener) Handle(msg *message.Message) (err error) {
 	if err != nil {
 		return err
 	}
-	_, err = http.NewRequest(http.MethodPost, webhook.TargetURL, bytes.NewReader(payload))
+	req, err := http.NewRequest(http.MethodPost, webhook.TargetURL, bytes.NewReader(payload))
+	if err != nil {
+		return err
+	}
+	_, err = http.DefaultClient.Do(req)
+	if err == nil {
+		log.Debugf("Sent webhook payload for webhook %d for event %s", webhook.ID, wl.EventName)
+	}
 	return
 }
 

From 8d7a4929364e17f2eec75f22e9e04b472fe79ab1 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 12:12:16 +0200
Subject: [PATCH 06/28] feat(webhooks): add filter based on project id

---
 pkg/models/listeners.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index db6aa5a60a1..a75153f8155 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -658,6 +658,19 @@ func getProjectIDFromAnyEvent(eventPayload map[string]interface{}) int64 {
 		}
 	}
 
+	if project, has := eventPayload["project"]; has {
+		t := project.(map[string]interface{})
+		if projectID, has := t["id"]; has {
+			switch projectID.(type) {
+			case int64:
+				return projectID.(int64)
+			case float64:
+				return int64(projectID.(float64))
+			}
+			return projectID.(int64)
+		}
+	}
+
 	return 0
 }
 
@@ -670,6 +683,10 @@ func (wl *WebhookListener) Handle(msg *message.Message) (err error) {
 	}
 
 	projectID := getProjectIDFromAnyEvent(event)
+	if projectID == 0 {
+		log.Debugf("event %s does not contain a project id, not handling webhook", wl.EventName)
+		return nil
+	}
 
 	s := db.NewSession()
 	defer s.Close()
@@ -693,6 +710,7 @@ func (wl *WebhookListener) Handle(msg *message.Message) (err error) {
 	}
 
 	if webhook == nil {
+		log.Debugf("Did not find any webhook for the %s event for project %d, not sending", wl.EventName, projectID)
 		return nil
 	}
 

From 57de44694c663c50a209effeffd9615be81f7550 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 12:13:06 +0200
Subject: [PATCH 07/28] feat(webhooks): add index on project id

---
 pkg/migration/20230913202615.go | 2 +-
 pkg/models/webhooks.go          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/migration/20230913202615.go b/pkg/migration/20230913202615.go
index 1df44f1e91b..f96badbede2 100644
--- a/pkg/migration/20230913202615.go
+++ b/pkg/migration/20230913202615.go
@@ -26,7 +26,7 @@ type webhooks20230913202615 struct {
 	ID          int64     `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
 	TargetURL   string    `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
 	Events      []string  `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"event"`
-	ProjectID   int64     `xorm:"not null" json:"project_id" param:"project"`
+	ProjectID   int64     `xorm:"bigint not null index" json:"project_id" param:"project"`
 	CreatedByID int64     `xorm:"bigint not null" json:"-"`
 	Created     time.Time `xorm:"created not null" json:"created"`
 	Updated     time.Time `xorm:"updated not null" json:"updated"`
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index f3a99e4c7b4..f81f3962e13 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -29,7 +29,7 @@ type Webhook struct {
 	ID        int64    `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
 	TargetURL string   `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
 	Events    []string `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"event"`
-	ProjectID int64    `xorm:"not null" json:"project_id" param:"project"`
+	ProjectID int64    `xorm:"bigint not null index" json:"project_id" param:"project"`
 
 	// The user who initially created the webhook target.
 	CreatedBy   *user.User `xorm:"-" json:"created_by" valid:"-"`

From eb1b9247ad5f5c3a2141db7c8d9989f60443abe3 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 12:15:37 +0200
Subject: [PATCH 08/28] feat(webhooks): prevent link shares from managing
 webhooks

---
 pkg/models/webhooks_rights.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/pkg/models/webhooks_rights.go b/pkg/models/webhooks_rights.go
index fed8483be20..b5cc88bd3b7 100644
--- a/pkg/models/webhooks_rights.go
+++ b/pkg/models/webhooks_rights.go
@@ -27,16 +27,23 @@ func (w *Webhook) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
 }
 
 func (w *Webhook) CanDelete(s *xorm.Session, a web.Auth) (bool, error) {
-	p := &Project{ID: w.ProjectID}
-	return p.CanUpdate(s, a)
+	return w.canDoWebhook(s, a)
 }
 
 func (w *Webhook) CanUpdate(s *xorm.Session, a web.Auth) (bool, error) {
-	p := &Project{ID: w.ProjectID}
-	return p.CanUpdate(s, a)
+	return w.canDoWebhook(s, a)
 }
 
 func (w *Webhook) CanCreate(s *xorm.Session, a web.Auth) (bool, error) {
+	return w.canDoWebhook(s, a)
+}
+
+func (w *Webhook) canDoWebhook(s *xorm.Session, a web.Auth) (bool, error) {
+	_, isShareAuth := a.(*LinkSharing)
+	if isShareAuth {
+		return false, nil
+	}
+
 	p := &Project{ID: w.ProjectID}
 	return p.CanUpdate(s, a)
 }

From 96ccf6b92395b4d8424ff0fa9b3b829ff5d459ce Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 12:21:20 +0200
Subject: [PATCH 09/28] feat(webhooks): add route to get all available webhook
 events

---
 pkg/models/webhooks.go        | 12 ++++++++++++
 pkg/routes/api/v1/webhooks.go | 27 +++++++++++++++++++++++++++
 pkg/routes/routes.go          |  1 +
 3 files changed, 40 insertions(+)
 create mode 100644 pkg/routes/api/v1/webhooks.go

diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index f81f3962e13..35510150e9b 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -20,6 +20,7 @@ import (
 	"code.vikunja.io/api/pkg/events"
 	"code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/web"
+	"sort"
 	"sync"
 	"time"
 	"xorm.io/xorm"
@@ -71,6 +72,17 @@ func RegisterEventForWebhook(event WebhookEvent) {
 	})
 }
 
+func GetAvailableWebhookEvents() []string {
+	evts := []string{}
+	for e := range availableWebhookEvents {
+		evts = append(evts, e)
+	}
+
+	sort.Strings(evts)
+
+	return evts
+}
+
 func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
 	// TODO: check valid webhook events
 	w.CreatedByID = a.GetID()
diff --git a/pkg/routes/api/v1/webhooks.go b/pkg/routes/api/v1/webhooks.go
new file mode 100644
index 00000000000..1f418e3c40d
--- /dev/null
+++ b/pkg/routes/api/v1/webhooks.go
@@ -0,0 +1,27 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package v1
+
+import (
+	"code.vikunja.io/api/pkg/models"
+	"github.com/labstack/echo/v4"
+	"net/http"
+)
+
+func GetAvailableWebhookEvents(c echo.Context) error {
+	return c.JSON(http.StatusOK, models.GetAvailableWebhookEvents())
+}
diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go
index 0905d7bde8e..4efaaecc4b7 100644
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@@ -585,6 +585,7 @@ func registerAPIRoutes(a *echo.Group) {
 	a.PUT("/project/:project/webhooks", webhookProvider.CreateWeb)
 	a.DELETE("/project/:project/webhooks/:webhook", webhookProvider.DeleteWeb)
 	a.POST("/project/:project/webhooks/:webhook", webhookProvider.UpdateWeb)
+	a.GET("/webhooks/events", apiv1.GetAvailableWebhookEvents)
 }
 
 func registerMigrations(m *echo.Group) {

From 4253d14367ba855ac874d619f6e58c5744639a2e Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 12:22:57 +0200
Subject: [PATCH 10/28] chore(webhooks): remove WebhookEvent interface

---
 pkg/models/events.go   | 64 ------------------------------------------
 pkg/models/webhooks.go |  7 +----
 2 files changed, 1 insertion(+), 70 deletions(-)

diff --git a/pkg/models/events.go b/pkg/models/events.go
index b42f6d7ba1c..5fd75bf5d11 100644
--- a/pkg/models/events.go
+++ b/pkg/models/events.go
@@ -36,10 +36,6 @@ func (t *TaskCreatedEvent) Name() string {
 	return "task.created"
 }
 
-func (t *TaskCreatedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskUpdatedEvent represents an event where a task has been updated
 type TaskUpdatedEvent struct {
 	Task *Task      `json:"task"`
@@ -51,10 +47,6 @@ func (t *TaskUpdatedEvent) Name() string {
 	return "task.updated"
 }
 
-func (t *TaskUpdatedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskDeletedEvent represents a TaskDeletedEvent event
 type TaskDeletedEvent struct {
 	Task *Task      `json:"task"`
@@ -66,10 +58,6 @@ func (t *TaskDeletedEvent) Name() string {
 	return "task.deleted"
 }
 
-func (t *TaskDeletedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskAssigneeCreatedEvent represents an event where a task has been assigned to a user
 type TaskAssigneeCreatedEvent struct {
 	Task     *Task      `json:"task"`
@@ -82,10 +70,6 @@ func (t *TaskAssigneeCreatedEvent) Name() string {
 	return "task.assignee.created"
 }
 
-func (t *TaskAssigneeCreatedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskAssigneeDeletedEvent represents a TaskAssigneeDeletedEvent event
 type TaskAssigneeDeletedEvent struct {
 	Task     *Task      `json:"task"`
@@ -98,10 +82,6 @@ func (t *TaskAssigneeDeletedEvent) Name() string {
 	return "task.assignee.deleted"
 }
 
-func (t *TaskAssigneeDeletedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskCommentCreatedEvent represents an event where a task comment has been created
 type TaskCommentCreatedEvent struct {
 	Task    *Task        `json:"task"`
@@ -114,10 +94,6 @@ func (t *TaskCommentCreatedEvent) Name() string {
 	return "task.comment.created"
 }
 
-func (t *TaskCommentCreatedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskCommentUpdatedEvent represents a TaskCommentUpdatedEvent event
 type TaskCommentUpdatedEvent struct {
 	Task    *Task        `json:"task"`
@@ -130,10 +106,6 @@ func (t *TaskCommentUpdatedEvent) Name() string {
 	return "task.comment.edited"
 }
 
-func (t *TaskCommentUpdatedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskCommentDeletedEvent represents a TaskCommentDeletedEvent event
 type TaskCommentDeletedEvent struct {
 	Task    *Task        `json:"task"`
@@ -146,10 +118,6 @@ func (t *TaskCommentDeletedEvent) Name() string {
 	return "task.comment.deleted"
 }
 
-func (t *TaskCommentDeletedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskAttachmentCreatedEvent represents a TaskAttachmentCreatedEvent event
 type TaskAttachmentCreatedEvent struct {
 	Task       *Task           `json:"task"`
@@ -162,10 +130,6 @@ func (t *TaskAttachmentCreatedEvent) Name() string {
 	return "task.attachment.created"
 }
 
-func (t *TaskAttachmentCreatedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskAttachmentDeletedEvent represents a TaskAttachmentDeletedEvent event
 type TaskAttachmentDeletedEvent struct {
 	Task       *Task           `json:"task"`
@@ -178,10 +142,6 @@ func (t *TaskAttachmentDeletedEvent) Name() string {
 	return "task.attachment.deleted"
 }
 
-func (t *TaskAttachmentDeletedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskRelationCreatedEvent represents a TaskRelationCreatedEvent event
 type TaskRelationCreatedEvent struct {
 	Task     *Task         `json:"task"`
@@ -194,10 +154,6 @@ func (t *TaskRelationCreatedEvent) Name() string {
 	return "task.relation.created"
 }
 
-func (t *TaskRelationCreatedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 // TaskRelationDeletedEvent represents a TaskRelationDeletedEvent event
 type TaskRelationDeletedEvent struct {
 	Task     *Task         `json:"task"`
@@ -210,10 +166,6 @@ func (t *TaskRelationDeletedEvent) Name() string {
 	return "task.relation.deleted"
 }
 
-func (t *TaskRelationDeletedEvent) ProjectID() int64 {
-	return t.Task.ProjectID
-}
-
 ////////////////////
 // Project Events //
 ////////////////////
@@ -240,10 +192,6 @@ func (p *ProjectUpdatedEvent) Name() string {
 	return "project.updated"
 }
 
-func (p *ProjectUpdatedEvent) ProjectID() int64 {
-	return p.Project.ID
-}
-
 // ProjectDeletedEvent represents an event where a project has been deleted
 type ProjectDeletedEvent struct {
 	Project *Project `json:"project"`
@@ -255,10 +203,6 @@ func (p *ProjectDeletedEvent) Name() string {
 	return "project.deleted"
 }
 
-func (p *ProjectDeletedEvent) ProjectID() int64 {
-	return p.Project.ID
-}
-
 ////////////////////
 // Sharing Events //
 ////////////////////
@@ -275,10 +219,6 @@ func (p *ProjectSharedWithUserEvent) Name() string {
 	return "project.shared.user"
 }
 
-func (p *ProjectSharedWithUserEvent) ProjectID() int64 {
-	return p.Project.ID
-}
-
 // ProjectSharedWithTeamEvent represents an event where a project has been shared with a team
 type ProjectSharedWithTeamEvent struct {
 	Project *Project `json:"project"`
@@ -291,10 +231,6 @@ func (p *ProjectSharedWithTeamEvent) Name() string {
 	return "project.shared.team"
 }
 
-func (p *ProjectSharedWithTeamEvent) ProjectID() int64 {
-	return p.Project.ID
-}
-
 /////////////////
 // Team Events //
 /////////////////
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 35510150e9b..94e5285545c 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -49,11 +49,6 @@ func (w *Webhook) TableName() string {
 	return "webhooks"
 }
 
-type WebhookEvent interface {
-	events.Event
-	ProjectID() int64
-}
-
 var availableWebhookEvents map[string]bool
 var availableWebhookEventsLock *sync.Mutex
 
@@ -62,7 +57,7 @@ func init() {
 	availableWebhookEventsLock = &sync.Mutex{}
 }
 
-func RegisterEventForWebhook(event WebhookEvent) {
+func RegisterEventForWebhook(event events.Event) {
 	availableWebhookEventsLock.Lock()
 	defer availableWebhookEventsLock.Unlock()
 

From a3a323cbf1490e1ae755e9d636812604f2b27327 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 14 Sep 2023 12:24:48 +0200
Subject: [PATCH 11/28] feat(webhooks): set user agent header to Vikunja

---
 pkg/models/listeners.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index a75153f8155..2972914ef95 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -18,6 +18,7 @@ package models
 
 import (
 	"bytes"
+	"code.vikunja.io/api/pkg/version"
 	"encoding/json"
 	"net/http"
 	"strconv"
@@ -726,6 +727,7 @@ func (wl *WebhookListener) Handle(msg *message.Message) (err error) {
 	if err != nil {
 		return err
 	}
+	req.Header.Add("User-Agent", "Vikunja/"+version.Version)
 	_, err = http.DefaultClient.Do(req)
 	if err == nil {
 		log.Debugf("Sent webhook payload for webhook %d for event %s", webhook.ID, wl.EventName)

From a0d8b28813821205d4762181ac473b13863fb079 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Fri, 13 Oct 2023 18:10:37 +0200
Subject: [PATCH 12/28] feat(webhooks): add hmac signing

---
 pkg/migration/20230913202615.go |  1 +
 pkg/models/listeners.go         | 17 +-------------
 pkg/models/webhooks.go          | 41 ++++++++++++++++++++++++++++++++-
 3 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/pkg/migration/20230913202615.go b/pkg/migration/20230913202615.go
index f96badbede2..5eceba38d1f 100644
--- a/pkg/migration/20230913202615.go
+++ b/pkg/migration/20230913202615.go
@@ -27,6 +27,7 @@ type webhooks20230913202615 struct {
 	TargetURL   string    `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
 	Events      []string  `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"event"`
 	ProjectID   int64     `xorm:"bigint not null index" json:"project_id" param:"project"`
+	Secret      string    `xorm:"null" json:"secret"`
 	CreatedByID int64     `xorm:"bigint not null" json:"-"`
 	Created     time.Time `xorm:"created not null" json:"created"`
 	Updated     time.Time `xorm:"updated not null" json:"updated"`
diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index 2972914ef95..b0f9e665b4e 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -17,10 +17,7 @@
 package models
 
 import (
-	"bytes"
-	"code.vikunja.io/api/pkg/version"
 	"encoding/json"
-	"net/http"
 	"strconv"
 	"time"
 
@@ -715,23 +712,11 @@ func (wl *WebhookListener) Handle(msg *message.Message) (err error) {
 		return nil
 	}
 
-	payload, err := json.Marshal(WebhookPayload{
+	err = webhook.sendWebhookPayload(&WebhookPayload{
 		EventName: wl.EventName,
 		Time:      time.Now(),
 		Data:      event,
 	})
-	if err != nil {
-		return err
-	}
-	req, err := http.NewRequest(http.MethodPost, webhook.TargetURL, bytes.NewReader(payload))
-	if err != nil {
-		return err
-	}
-	req.Header.Add("User-Agent", "Vikunja/"+version.Version)
-	_, err = http.DefaultClient.Do(req)
-	if err == nil {
-		log.Debugf("Sent webhook payload for webhook %d for event %s", webhook.ID, wl.EventName)
-	}
 	return
 }
 
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 94e5285545c..0afd50c6d5f 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -17,9 +17,17 @@
 package models
 
 import (
+	"bytes"
 	"code.vikunja.io/api/pkg/events"
+	"code.vikunja.io/api/pkg/log"
 	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/api/pkg/version"
 	"code.vikunja.io/web"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"net/http"
 	"sort"
 	"sync"
 	"time"
@@ -29,8 +37,9 @@ import (
 type Webhook struct {
 	ID        int64    `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
 	TargetURL string   `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
-	Events    []string `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"event"`
+	Events    []string `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"events"`
 	ProjectID int64    `xorm:"bigint not null index" json:"project_id" param:"project"`
+	Secret    string   `xorm:"null" json:"secret"`
 
 	// The user who initially created the webhook target.
 	CreatedBy   *user.User `xorm:"-" json:"created_by" valid:"-"`
@@ -124,3 +133,33 @@ func (w *Webhook) Delete(s *xorm.Session, a web.Auth) (err error) {
 	_, err = s.Where("id = ?", w.ID).Delete(&Webhook{})
 	return
 }
+
+func (w *Webhook) sendWebhookPayload(p *WebhookPayload) (err error) {
+	payload, err := json.Marshal(p)
+	if err != nil {
+		return err
+	}
+
+	req, err := http.NewRequest(http.MethodPost, w.TargetURL, bytes.NewReader(payload))
+	if err != nil {
+		return err
+	}
+
+	if len(w.Secret) > 0 {
+		sig256 := hmac.New(sha256.New, []byte(w.Secret))
+		_, err = sig256.Write(payload)
+		if err != nil {
+			log.Errorf("Could not generate webhook signature for Webhook %d: %s", w.ID, err)
+		}
+		signature := hex.EncodeToString(sig256.Sum(nil))
+		req.Header.Add("X-Vikunja-Signature", signature)
+	}
+
+	req.Header.Add("User-Agent", "Vikunja/"+version.Version)
+
+	_, err = http.DefaultClient.Do(req)
+	if err == nil {
+		log.Debugf("Sent webhook payload for webhook %d for event %s", w.ID, p.EventName)
+	}
+	return
+}

From 8cc775ac4c2f8f0390ee10e10a5515c0d6a9d9ac Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Fri, 13 Oct 2023 18:10:59 +0200
Subject: [PATCH 13/28] fix(webhooks): routes should use the common schema used
 for other routes already

---
 pkg/routes/routes.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go
index 4efaaecc4b7..b43bc4b67fe 100644
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@@ -581,10 +581,10 @@ func registerAPIRoutes(a *echo.Group) {
 			return &models.Webhook{}
 		},
 	}
-	a.GET("/project/:project/webhooks", webhookProvider.ReadAllWeb)
-	a.PUT("/project/:project/webhooks", webhookProvider.CreateWeb)
-	a.DELETE("/project/:project/webhooks/:webhook", webhookProvider.DeleteWeb)
-	a.POST("/project/:project/webhooks/:webhook", webhookProvider.UpdateWeb)
+	a.GET("/projects/:project/webhooks", webhookProvider.ReadAllWeb)
+	a.PUT("/projects/:project/webhooks", webhookProvider.CreateWeb)
+	a.DELETE("/projects/:project/webhooks/:webhook", webhookProvider.DeleteWeb)
+	a.POST("/projects/:project/webhooks/:webhook", webhookProvider.UpdateWeb)
 	a.GET("/webhooks/events", apiv1.GetAvailableWebhookEvents)
 }
 

From 34a92b759e8cbcc6cf8dcedbe283644aab92077d Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 19:03:11 +0200
Subject: [PATCH 14/28] feat(webhooks): add setting to enable webhooks

---
 pkg/config/config.go   |  5 +++++
 pkg/models/webhooks.go |  5 +++++
 pkg/routes/routes.go   | 20 +++++++++++---------
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index 57f7bef8f76..c1fbaa74eac 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -172,6 +172,9 @@ const (
 	DefaultSettingsLanguage                    Key = `defaultsettings.language`
 	DefaultSettingsTimezone                    Key = `defaultsettings.timezone`
 	DefaultSettingsOverdueTaskRemindersTime    Key = `defaultsettings.overdue_tasks_reminders_time`
+
+	WebhooksEnabled        Key = `webhooks.enabled`
+	WebhooksTimeoutSeconds Key = `webhooks.timeoutseconds`
 )
 
 // GetString returns a string config value
@@ -387,6 +390,8 @@ func InitDefaultConfig() {
 	DefaultSettingsAvatarProvider.setDefault("initials")
 	DefaultSettingsOverdueTaskRemindersEnabled.setDefault(true)
 	DefaultSettingsOverdueTaskRemindersTime.setDefault("9:00")
+	// Webhook
+	WebhooksEnabled.setDefault(true)
 }
 
 // InitConfig initializes the config, sets defaults etc.
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 0afd50c6d5f..f440d8f2ea3 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -18,6 +18,7 @@ package models
 
 import (
 	"bytes"
+	"code.vikunja.io/api/pkg/config"
 	"code.vikunja.io/api/pkg/events"
 	"code.vikunja.io/api/pkg/log"
 	"code.vikunja.io/api/pkg/user"
@@ -67,6 +68,10 @@ func init() {
 }
 
 func RegisterEventForWebhook(event events.Event) {
+	if !config.WebhooksEnabled.GetBool() {
+		return
+	}
+
 	availableWebhookEventsLock.Lock()
 	defer availableWebhookEventsLock.Unlock()
 
diff --git a/pkg/routes/routes.go b/pkg/routes/routes.go
index b43bc4b67fe..04a98c7386f 100644
--- a/pkg/routes/routes.go
+++ b/pkg/routes/routes.go
@@ -576,16 +576,18 @@ func registerAPIRoutes(a *echo.Group) {
 	a.DELETE("/tokens/:token", apiTokenProvider.DeleteWeb)
 
 	// Webhooks
-	webhookProvider := &handler.WebHandler{
-		EmptyStruct: func() handler.CObject {
-			return &models.Webhook{}
-		},
+	if config.WebhooksEnabled.GetBool() {
+		webhookProvider := &handler.WebHandler{
+			EmptyStruct: func() handler.CObject {
+				return &models.Webhook{}
+			},
+		}
+		a.GET("/projects/:project/webhooks", webhookProvider.ReadAllWeb)
+		a.PUT("/projects/:project/webhooks", webhookProvider.CreateWeb)
+		a.DELETE("/projects/:project/webhooks/:webhook", webhookProvider.DeleteWeb)
+		a.POST("/projects/:project/webhooks/:webhook", webhookProvider.UpdateWeb)
+		a.GET("/webhooks/events", apiv1.GetAvailableWebhookEvents)
 	}
-	a.GET("/projects/:project/webhooks", webhookProvider.ReadAllWeb)
-	a.PUT("/projects/:project/webhooks", webhookProvider.CreateWeb)
-	a.DELETE("/projects/:project/webhooks/:webhook", webhookProvider.DeleteWeb)
-	a.POST("/projects/:project/webhooks/:webhook", webhookProvider.UpdateWeb)
-	a.GET("/webhooks/events", apiv1.GetAvailableWebhookEvents)
 }
 
 func registerMigrations(m *echo.Group) {

From b38360c9a59624866e467de81acf62e38af8db59 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 19:06:25 +0200
Subject: [PATCH 15/28] feat(webhooks): add timeout config option

---
 pkg/config/config.go   | 1 +
 pkg/models/webhooks.go | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index c1fbaa74eac..0b39a318d09 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -392,6 +392,7 @@ func InitDefaultConfig() {
 	DefaultSettingsOverdueTaskRemindersTime.setDefault("9:00")
 	// Webhook
 	WebhooksEnabled.setDefault(true)
+	WebhooksTimeoutSeconds.setDefault(30)
 }
 
 // InitConfig initializes the config, sets defaults etc.
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index f440d8f2ea3..4f32a84cafe 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -162,7 +162,10 @@ func (w *Webhook) sendWebhookPayload(p *WebhookPayload) (err error) {
 
 	req.Header.Add("User-Agent", "Vikunja/"+version.Version)
 
-	_, err = http.DefaultClient.Do(req)
+	client := http.DefaultClient
+	client.Timeout = time.Duration(config.WebhooksTimeoutSeconds.GetInt()) * time.Second
+
+	_, err = client.Do(req)
 	if err == nil {
 		log.Debugf("Sent webhook payload for webhook %d for event %s", w.ID, p.EventName)
 	}

From 831aa4a01449f141a3590adc7e3baa6223aa7935 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 19:42:00 +0200
Subject: [PATCH 16/28] feat(webhooks): add support for webhook proxy

---
 pkg/config/config.go   |  2 ++
 pkg/models/webhooks.go | 29 +++++++++++++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/pkg/config/config.go b/pkg/config/config.go
index 0b39a318d09..50e93e0aaf0 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -175,6 +175,8 @@ const (
 
 	WebhooksEnabled        Key = `webhooks.enabled`
 	WebhooksTimeoutSeconds Key = `webhooks.timeoutseconds`
+	WebhooksProxyURL       Key = `webhooks.proxyurl`
+	WebhooksProxyPassword  Key = `webhooks.proxypassword`
 )
 
 // GetString returns a string config value
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 4f32a84cafe..36debf4b3ac 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -26,9 +26,11 @@ import (
 	"code.vikunja.io/web"
 	"crypto/hmac"
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"net/http"
+	"net/url"
 	"sort"
 	"sync"
 	"time"
@@ -139,6 +141,27 @@ func (w *Webhook) Delete(s *xorm.Session, a web.Auth) (err error) {
 	return
 }
 
+func getWebhookHTTPClient() (client *http.Client) {
+	client = http.DefaultClient
+	client.Timeout = time.Duration(config.WebhooksTimeoutSeconds.GetInt()) * time.Second
+
+	if config.WebhooksProxyURL.GetString() == "" || config.WebhooksProxyPassword.GetString() == "" {
+		return
+	}
+
+	proxyURL, _ := url.Parse(config.WebhooksProxyURL.GetString())
+
+	client.Transport = &http.Transport{
+		Proxy: http.ProxyURL(proxyURL),
+		ProxyConnectHeader: http.Header{
+			"Proxy-Authorization": []string{"Basic " + base64.StdEncoding.EncodeToString([]byte("vikunja:"+config.WebhooksProxyPassword.GetString()))},
+			"User-Agent":          []string{"Vikunja/" + version.Version},
+		},
+	}
+
+	return
+}
+
 func (w *Webhook) sendWebhookPayload(p *WebhookPayload) (err error) {
 	payload, err := json.Marshal(p)
 	if err != nil {
@@ -162,9 +185,11 @@ func (w *Webhook) sendWebhookPayload(p *WebhookPayload) (err error) {
 
 	req.Header.Add("User-Agent", "Vikunja/"+version.Version)
 
-	client := http.DefaultClient
-	client.Timeout = time.Duration(config.WebhooksTimeoutSeconds.GetInt()) * time.Second
+	if config.WebhooksProxyURL.GetString() != "" && config.WebhooksProxyPassword.GetString() != "" {
+		req.Header.Add("Proxy-Authorization", base64.StdEncoding.EncodeToString([]byte(config.WebhooksProxyPassword.GetString())))
+	}
 
+	client := getWebhookHTTPClient()
 	_, err = client.Do(req)
 	if err == nil {
 		log.Debugf("Sent webhook payload for webhook %d for event %s", w.ID, p.EventName)

From c3947e10163b6133f6cdad9ecd05f8ba0b663a40 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 19:47:23 +0200
Subject: [PATCH 17/28] docs(webhooks): add webhook config to sample config

---
 config.yml.sample                | 10 +++++++
 docs/content/doc/setup/config.md | 50 ++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/config.yml.sample b/config.yml.sample
index 3a56d948b69..954118d9cd4 100644
--- a/config.yml.sample
+++ b/config.yml.sample
@@ -346,3 +346,13 @@ defaultsettings:
   language: <unset>
   # The time zone of each individual user. This will affect when users get reminders and overdue task emails.
   timezone: <time zone set at service.timezone>
+
+webhooks:
+  # Whether to enable support for webhooks
+  enabled: true
+  # The timout in seconds until a webhook request fails when no response has been received.
+  timoutseconds: 30
+  # The URL of [a mole instance](https://github.com/frain-dev/mole) to use to proxy outgoing webhook requests. You should use this and configure appropriately if you're not the only one using your Vikunja instance. More info about why: https://webhooks.fyi/best-practices/webhook-providers#implement-security-on-egress-communication. Must be used in combination with `webhooks.password` (see below).
+  proxyurl:
+  # The proxy password to use when authenticating against the proxy.
+  proxypassword:
diff --git a/docs/content/doc/setup/config.md b/docs/content/doc/setup/config.md
index ba4002a971d..b1030685077 100644
--- a/docs/content/doc/setup/config.md
+++ b/docs/content/doc/setup/config.md
@@ -1327,3 +1327,53 @@ Full path: `defaultsettings.timezone`
 Environment path: `VIKUNJA_DEFAULTSETTINGS_TIMEZONE`
 
 
+---
+
+## webhooks
+
+
+
+### enabled
+
+Whether to enable support for webhooks
+
+Default: `true`
+
+Full path: `webhooks.enabled`
+
+Environment path: `VIKUNJA_WEBHOOKS_ENABLED`
+
+
+### timoutseconds
+
+The timout in seconds until a webhook request fails when no response has been received.
+
+Default: `30`
+
+Full path: `webhooks.timoutseconds`
+
+Environment path: `VIKUNJA_WEBHOOKS_TIMOUTSECONDS`
+
+
+### proxyurl
+
+The URL of [a mole instance](https://github.com/frain-dev/mole) to use to proxy outgoing webhook requests. You should use this and configure appropriately if you're not the only one using your Vikunja instance. More info about why: https://webhooks.fyi/best-practices/webhook-providers#implement-security-on-egress-communication. Must be used in combination with `webhooks.password` (see below).
+
+Default: `<empty>`
+
+Full path: `webhooks.proxyurl`
+
+Environment path: `VIKUNJA_WEBHOOKS_PROXYURL`
+
+
+### proxypassword
+
+The proxy password to use when authenticating against the proxy.
+
+Default: `<empty>`
+
+Full path: `webhooks.proxypassword`
+
+Environment path: `VIKUNJA_WEBHOOKS_PROXYPASSWORD`
+
+

From ec4aa606e213639d68339d34d43b826846c594df Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 19:50:45 +0200
Subject: [PATCH 18/28] chore(webhooks): reuse webhook client

---
 pkg/models/webhooks.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 36debf4b3ac..39dc5c575d8 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -37,6 +37,8 @@ import (
 	"xorm.io/xorm"
 )
 
+var webhookClient *http.Client
+
 type Webhook struct {
 	ID        int64    `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
 	TargetURL string   `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
@@ -142,10 +144,16 @@ func (w *Webhook) Delete(s *xorm.Session, a web.Auth) (err error) {
 }
 
 func getWebhookHTTPClient() (client *http.Client) {
+
+	if webhookClient != nil {
+		return webhookClient
+	}
+
 	client = http.DefaultClient
 	client.Timeout = time.Duration(config.WebhooksTimeoutSeconds.GetInt()) * time.Second
 
 	if config.WebhooksProxyURL.GetString() == "" || config.WebhooksProxyPassword.GetString() == "" {
+		webhookClient = client
 		return
 	}
 
@@ -159,6 +167,8 @@ func getWebhookHTTPClient() (client *http.Client) {
 		},
 	}
 
+	webhookClient = client
+
 	return
 }
 

From 1b82f26d3e13e35f4326f123cb7bc52b558553b4 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 19:57:33 +0200
Subject: [PATCH 19/28] chore(webhooks): simplify registering webhook events

---
 pkg/models/listeners.go | 34 ++++++++++++++++++----------------
 pkg/models/webhooks.go  |  4 ----
 2 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index b0f9e665b4e..397ab51b162 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -66,22 +66,24 @@ func RegisterListeners() {
 		events.RegisterListener((&TaskDeletedEvent{}).Name(), &RemoveTaskFromTypesense{})
 		events.RegisterListener((&TaskCreatedEvent{}).Name(), &AddTaskToTypesense{})
 	}
-	RegisterEventForWebhook(&TaskCreatedEvent{})
-	RegisterEventForWebhook(&TaskUpdatedEvent{})
-	RegisterEventForWebhook(&TaskDeletedEvent{})
-	RegisterEventForWebhook(&TaskAssigneeCreatedEvent{})
-	RegisterEventForWebhook(&TaskAssigneeDeletedEvent{})
-	RegisterEventForWebhook(&TaskCommentCreatedEvent{})
-	RegisterEventForWebhook(&TaskCommentUpdatedEvent{})
-	RegisterEventForWebhook(&TaskCommentDeletedEvent{})
-	RegisterEventForWebhook(&TaskAttachmentCreatedEvent{})
-	RegisterEventForWebhook(&TaskAttachmentDeletedEvent{})
-	RegisterEventForWebhook(&TaskRelationCreatedEvent{})
-	RegisterEventForWebhook(&TaskRelationDeletedEvent{})
-	RegisterEventForWebhook(&ProjectUpdatedEvent{})
-	RegisterEventForWebhook(&ProjectDeletedEvent{})
-	RegisterEventForWebhook(&ProjectSharedWithUserEvent{})
-	RegisterEventForWebhook(&ProjectSharedWithTeamEvent{})
+	if config.WebhooksEnabled.GetBool() {
+		RegisterEventForWebhook(&TaskCreatedEvent{})
+		RegisterEventForWebhook(&TaskUpdatedEvent{})
+		RegisterEventForWebhook(&TaskDeletedEvent{})
+		RegisterEventForWebhook(&TaskAssigneeCreatedEvent{})
+		RegisterEventForWebhook(&TaskAssigneeDeletedEvent{})
+		RegisterEventForWebhook(&TaskCommentCreatedEvent{})
+		RegisterEventForWebhook(&TaskCommentUpdatedEvent{})
+		RegisterEventForWebhook(&TaskCommentDeletedEvent{})
+		RegisterEventForWebhook(&TaskAttachmentCreatedEvent{})
+		RegisterEventForWebhook(&TaskAttachmentDeletedEvent{})
+		RegisterEventForWebhook(&TaskRelationCreatedEvent{})
+		RegisterEventForWebhook(&TaskRelationDeletedEvent{})
+		RegisterEventForWebhook(&ProjectUpdatedEvent{})
+		RegisterEventForWebhook(&ProjectDeletedEvent{})
+		RegisterEventForWebhook(&ProjectSharedWithUserEvent{})
+		RegisterEventForWebhook(&ProjectSharedWithTeamEvent{})
+	}
 }
 
 //////
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 39dc5c575d8..afedc7ed588 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -72,10 +72,6 @@ func init() {
 }
 
 func RegisterEventForWebhook(event events.Event) {
-	if !config.WebhooksEnabled.GetBool() {
-		return
-	}
-
 	availableWebhookEventsLock.Lock()
 	defer availableWebhookEventsLock.Unlock()
 

From 177f367a8c0bd9d4f980b5ba006c786557dd0117 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 19:58:13 +0200
Subject: [PATCH 20/28] feat(webhooks): expose whether webhooks are enabled

---
 pkg/routes/api/v1/info.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/routes/api/v1/info.go b/pkg/routes/api/v1/info.go
index d2be79da805..0b1cf243781 100644
--- a/pkg/routes/api/v1/info.go
+++ b/pkg/routes/api/v1/info.go
@@ -50,6 +50,7 @@ type vikunjaInfos struct {
 	UserDeletionEnabled        bool      `json:"user_deletion_enabled"`
 	TaskCommentsEnabled        bool      `json:"task_comments_enabled"`
 	DemoModeEnabled            bool      `json:"demo_mode_enabled"`
+	WebhooksEnabled            bool      `json:"webhooks_enabled"`
 }
 
 type authInfo struct {
@@ -94,6 +95,7 @@ func Info(c echo.Context) error {
 		UserDeletionEnabled:    config.ServiceEnableUserDeletion.GetBool(),
 		TaskCommentsEnabled:    config.ServiceEnableTaskComments.GetBool(),
 		DemoModeEnabled:        config.ServiceDemoMode.GetBool(),
+		WebhooksEnabled:        config.WebhooksEnabled.GetBool(),
 		AvailableMigrators: []string{
 			(&vikunja_file.FileMigrator{}).Name(),
 			(&ticktick.Migrator{}).Name(),

From fc0029eed7c9bd3f6d6243296cc842e82c2f9698 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 20:01:20 +0200
Subject: [PATCH 21/28] fix(webhooks): don't send the proxy auth header to the
 webhook target

---
 pkg/models/webhooks.go | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index afedc7ed588..a5b9eae3801 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -191,10 +191,6 @@ func (w *Webhook) sendWebhookPayload(p *WebhookPayload) (err error) {
 
 	req.Header.Add("User-Agent", "Vikunja/"+version.Version)
 
-	if config.WebhooksProxyURL.GetString() != "" && config.WebhooksProxyPassword.GetString() != "" {
-		req.Header.Add("Proxy-Authorization", base64.StdEncoding.EncodeToString([]byte(config.WebhooksProxyPassword.GetString())))
-	}
-
 	client := getWebhookHTTPClient()
 	_, err = client.Do(req)
 	if err == nil {

From 35e8183f6ab47bccae79f4ccd619090e5495c564 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 20:10:55 +0200
Subject: [PATCH 22/28] docs(webhooks): add general docs about webhooks

---
 docs/content/doc/usage/webhooks.md | 58 ++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 docs/content/doc/usage/webhooks.md

diff --git a/docs/content/doc/usage/webhooks.md b/docs/content/doc/usage/webhooks.md
new file mode 100644
index 00000000000..9f2bc0eb912
--- /dev/null
+++ b/docs/content/doc/usage/webhooks.md
@@ -0,0 +1,58 @@
+---
+title: "Webhooks"
+date: 2023-10-17T19:51:32+02:00
+draft: false
+type: doc
+menu:
+  sidebar:
+    parent: "usage"
+---
+
+# Webhooks
+
+Starting with version 0.22.0, Vikunja allows you to define webhooks to notify other services of events happening within Vikunja.
+
+{{< table_of_contents >}}
+
+## How to create webhooks
+
+To create a webhook, in the project options select "Webhooks". The form will allow you to create and modify webhooks.
+
+Check out [the api docs](https://try.vikunja.io/api/v1/docs#tag/webhooks) for information about how to create webhooks programatically.
+
+## Available events and their payload
+
+All events registered as webhook events in [the event listeners definition](https://kolaente.dev/vikunja/api/src/branch/main/pkg/models/listeners.go#L69) can be used as webhook target.
+
+A webhook payload will look similar to this:
+
+```json
+{
+	"event_name": "task.created",
+	"time": "2023-10-17T19:39:32.924194436+02:00",
+	"data": {}
+}
+```
+
+The `data` property will contain the raw event data as it was registered in the `listeners.go` file.
+
+The `time` property holds the time when the webhook payload data was sent.
+It always uses the ISO 8601 format with date, time and time zone offset.
+
+## Security considerations
+
+### Signing
+
+Vikunja allows you to provide a secret when creating the webhook.
+If you set a secret, all outgoing webhook requests will contain an `X-Vikunja-Signature` header with an HMAC signature over the webhook json payload.
+
+Check out [webhooks.fyi](https://webhooks.fyi/security/hmac) for more information about how to validate the HMAC signature.
+
+### Hosting webhook infrastructure
+
+Vikunja has support to use [mole](https://github.com/frain-dev/mole) as a proxy for outgoing webhook requests.
+This allows you to prevent SSRF attacts on your own infrastructure.
+
+You should use this and [configure it appropriately]({{< ref "../setup/config.md">}}#webhooks) if you're not the only one using your Vikunja instance.
+
+Check out [webhooks.fyi](https://webhooks.fyi/best-practices/webhook-providers#implement-security-on-egress-communication) for more information about the attack vector and reasoning to prevent this.

From 2c84cec044eb8974a40ef7fbfa9f2c92ecf311af Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 20:29:42 +0200
Subject: [PATCH 23/28] docs(webhooks): add swagger docs for all webhook
 endpoints

---
 pkg/models/api_tokens.go      |   6 +-
 pkg/models/webhooks.go        |  67 ++++++-
 pkg/routes/api/v1/webhooks.go |  10 ++
 pkg/swagger/docs.go           | 316 +++++++++++++++++++++++++++++++++-
 pkg/swagger/swagger.json      | 316 +++++++++++++++++++++++++++++++++-
 pkg/swagger/swagger.yaml      | 220 ++++++++++++++++++++++-
 6 files changed, 916 insertions(+), 19 deletions(-)

diff --git a/pkg/models/api_tokens.go b/pkg/models/api_tokens.go
index 637da13cabf..eb4dc2931d1 100644
--- a/pkg/models/api_tokens.go
+++ b/pkg/models/api_tokens.go
@@ -122,9 +122,9 @@ func HashToken(token, salt string) string {
 // @Accept json
 // @Produce json
 // @Security JWTKeyAuth
-// @Param page query int false "The page number for tasks. Used for pagination. If not provided, the first page of results is returned."
-// @Param per_page query int false "The maximum number of tasks per bucket per page. This parameter is limited by the configured maximum of items per page."
-// @Param s query string false "Search tasks by task text."
+// @Param page query int false "The page number, used for pagination. If not provided, the first page of results is returned."
+// @Param per_page query int false "The maximum number of tokens per page. This parameter is limited by the configured maximum of items per page."
+// @Param s query string false "Search tokens by their title."
 // @Success 200 {array} models.APIToken "The list of all tokens"
 // @Failure 500 {object} models.Message "Internal server error"
 // @Router /tokens [get]
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index a5b9eae3801..9dfcd9e347f 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -40,11 +40,16 @@ import (
 var webhookClient *http.Client
 
 type Webhook struct {
-	ID        int64    `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
-	TargetURL string   `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
-	Events    []string `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"events"`
-	ProjectID int64    `xorm:"bigint not null index" json:"project_id" param:"project"`
-	Secret    string   `xorm:"null" json:"secret"`
+	// The generated ID of this webhook target
+	ID int64 `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
+	// The target URL where the POST request with the webhook payload will be made
+	TargetURL string `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
+	// The webhook events which should fire this webhook target
+	Events []string `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"events"`
+	// The project ID of the project this webhook target belongs to
+	ProjectID int64 `xorm:"bigint not null index" json:"project_id" param:"project"`
+	// If provided, webhook requests will be signed using HMAC. Check out the docs about how to use this: https://vikunja.io/docs/webhooks/#signing
+	Secret string `xorm:"null" json:"secret"`
 
 	// The user who initially created the webhook target.
 	CreatedBy   *user.User `xorm:"-" json:"created_by" valid:"-"`
@@ -92,6 +97,19 @@ func GetAvailableWebhookEvents() []string {
 	return evts
 }
 
+// Create creates a webhook target
+// @Summary Create a webhook target
+// @Description Create a webhook target which recieves POST requests about specified events from a project.
+// @tags webhooks
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Param id path int true "Project ID"
+// @Param webhook body models.Webhook true "The webhook target object with required fields"
+// @Success 200 {object} models.Webhook "The created webhook target."
+// @Failure 400 {object} web.HTTPError "Invalid webhook object provided."
+// @Failure 500 {object} models.Message "Internal error"
+// @Router /projects/{id}/webhooks [put]
 func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
 	// TODO: check valid webhook events
 	w.CreatedByID = a.GetID()
@@ -99,6 +117,19 @@ func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
 	return
 }
 
+// ReadAll returns all webhook targets for a project
+// @Summary Get all api webhook targets for the specified project
+// @Description Get all api webhook targets for the specified project.
+// @tags webhooks
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Param page query int false "The page number. Used for pagination. If not provided, the first page of results is returned."
+// @Param per_page query int false "The maximum number of items per bucket per page. This parameter is limited by the configured maximum of items per page."
+// @Param id path int true "Project ID"
+// @Success 200 {array} models.Webhook "The list of all webhook targets"
+// @Failure 500 {object} models.Message "Internal server error"
+// @Router /projects/{id}/webhooks [get]
 func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
 	p := &Project{ID: w.ProjectID}
 	can, _, err := p.CanRead(s, a)
@@ -126,6 +157,19 @@ func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, search string, page int,
 	return ws, len(ws), total, err
 }
 
+// Update updates a webhook target
+// @Summary Change a webhook target's events.
+// @Description Change a webhook target's events. You cannot change other values of a webhook.
+// @tags webhooks
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Param id path int true "Project ID"
+// @Param webhookID path int true "Webhook ID"
+// @Success 200 {object} models.Webhook "Updated webhook target"
+// @Failure 404 {object} web.HTTPError "The webhok target does not exist"
+// @Failure 500 {object} models.Message "Internal error"
+// @Router /projects/{id}/webhooks/{webhookID} [post]
 func (w *Webhook) Update(s *xorm.Session, a web.Auth) (err error) {
 	// TODO validate webhook events
 	_, err = s.Where("id = ?", w.ID).
@@ -134,6 +178,19 @@ func (w *Webhook) Update(s *xorm.Session, a web.Auth) (err error) {
 	return
 }
 
+// Delete deletes a webhook target
+// @Summary Deletes an existing webhook target
+// @Description Delete any of the project's webhook targets.
+// @tags webhooks
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Param id path int true "Project ID"
+// @Param webhookID path int true "Webhook ID"
+// @Success 200 {object} models.Message "Successfully deleted."
+// @Failure 404 {object} web.HTTPError "The webhok target does not exist."
+// @Failure 500 {object} models.Message "Internal error"
+// @Router /projects/{id}/webhooks/{webhookID} [delete]
 func (w *Webhook) Delete(s *xorm.Session, a web.Auth) (err error) {
 	_, err = s.Where("id = ?", w.ID).Delete(&Webhook{})
 	return
diff --git a/pkg/routes/api/v1/webhooks.go b/pkg/routes/api/v1/webhooks.go
index 1f418e3c40d..7c0a435c0b5 100644
--- a/pkg/routes/api/v1/webhooks.go
+++ b/pkg/routes/api/v1/webhooks.go
@@ -22,6 +22,16 @@ import (
 	"net/http"
 )
 
+// GetAvailableWebhookEvents returns a list of all possible webhook target events
+// @Summary Get all possible webhook events
+// @Description Get all possible webhook events to use when creating or updating a webhook target.
+// @tags webhooks
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Success 200 {array} string "The list of all possible webhook events"
+// @Failure 500 {object} models.Message "Internal server error"
+// @Router /webhooks/events [get]
 func GetAvailableWebhookEvents(c echo.Context) error {
 	return c.JSON(http.StatusOK, models.GetAvailableWebhookEvents())
 }
diff --git a/pkg/swagger/docs.go b/pkg/swagger/docs.go
index c56d835ad4a..6ca74bb7b8f 100644
--- a/pkg/swagger/docs.go
+++ b/pkg/swagger/docs.go
@@ -2425,6 +2425,230 @@ const docTemplate = `{
                 }
             }
         },
+        "/projects/{id}/webhooks": {
+            "get": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Get all api webhook targets for the specified project.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Get all api webhook targets for the specified project",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "The page number. Used for pagination. If not provided, the first page of results is returned.",
+                        "name": "page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "The maximum number of items per bucket per page. This parameter is limited by the configured maximum of items per page.",
+                        "name": "per_page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The list of all webhook targets",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/models.Webhook"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal server error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Create a webhook target which recieves POST requests about specified events from a project.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Create a webhook target",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "The webhook target object with required fields",
+                        "name": "webhook",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/models.Webhook"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The created webhook target.",
+                        "schema": {
+                            "$ref": "#/definitions/models.Webhook"
+                        }
+                    },
+                    "400": {
+                        "description": "Invalid webhook object provided.",
+                        "schema": {
+                            "$ref": "#/definitions/web.HTTPError"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            }
+        },
+        "/projects/{id}/webhooks/{webhookID}": {
+            "post": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Change a webhook target's events. You cannot change other values of a webhook.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Change a webhook target's events.",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Webhook ID",
+                        "name": "webhookID",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Updated webhook target",
+                        "schema": {
+                            "$ref": "#/definitions/models.Webhook"
+                        }
+                    },
+                    "404": {
+                        "description": "The webhok target does not exist",
+                        "schema": {
+                            "$ref": "#/definitions/web.HTTPError"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            },
+            "delete": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Delete any of the project's webhook targets.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Deletes an existing webhook target",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Webhook ID",
+                        "name": "webhookID",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Successfully deleted.",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    },
+                    "404": {
+                        "description": "The webhok target does not exist.",
+                        "schema": {
+                            "$ref": "#/definitions/web.HTTPError"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            }
+        },
         "/projects/{projectID}/buckets/{bucketID}": {
             "post": {
                 "security": [
@@ -5427,19 +5651,19 @@ const docTemplate = `{
                 "parameters": [
                     {
                         "type": "integer",
-                        "description": "The page number for tasks. Used for pagination. If not provided, the first page of results is returned.",
+                        "description": "The page number, used for pagination. If not provided, the first page of results is returned.",
                         "name": "page",
                         "in": "query"
                     },
                     {
                         "type": "integer",
-                        "description": "The maximum number of tasks per bucket per page. This parameter is limited by the configured maximum of items per page.",
+                        "description": "The maximum number of tokens per page. This parameter is limited by the configured maximum of items per page.",
                         "name": "per_page",
                         "in": "query"
                     },
                     {
                         "type": "string",
-                        "description": "Search tasks by task text.",
+                        "description": "Search tokens by their title.",
                         "name": "s",
                         "in": "query"
                     }
@@ -6783,6 +7007,43 @@ const docTemplate = `{
                 }
             }
         },
+        "/webhooks/events": {
+            "get": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Get all possible webhook events to use when creating or updating a webhook target.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Get all possible webhook events",
+                "responses": {
+                    "200": {
+                        "description": "The list of all possible webhook events",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal server error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            }
+        },
         "/{username}/avatar": {
             "get": {
                 "description": "Returns the user avatar as image.",
@@ -8188,6 +8449,52 @@ const docTemplate = `{
                 }
             }
         },
+        "models.Webhook": {
+            "type": "object",
+            "properties": {
+                "created": {
+                    "description": "A timestamp when this webhook target was created. You cannot change this value.",
+                    "type": "string"
+                },
+                "created_by": {
+                    "description": "The user who initially created the webhook target.",
+                    "allOf": [
+                        {
+                            "$ref": "#/definitions/user.User"
+                        }
+                    ]
+                },
+                "events": {
+                    "description": "The webhook events which should fire this webhook target",
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "minLength": 1
+                    }
+                },
+                "id": {
+                    "description": "The generated ID of this webhook target",
+                    "type": "integer"
+                },
+                "project_id": {
+                    "description": "The project ID of the project this webhook target belongs to",
+                    "type": "integer"
+                },
+                "secret": {
+                    "description": "If provided, webhook requests will be signed using HMAC. Check out the docs about how to use this: https://vikunja.io/docs/webhooks/#signing",
+                    "type": "string"
+                },
+                "target_url": {
+                    "description": "The target URL where the POST request with the webhook payload will be made",
+                    "type": "string",
+                    "minLength": 1
+                },
+                "updated": {
+                    "description": "A timestamp when this webhook target was last updated. You cannot change this value.",
+                    "type": "string"
+                }
+            }
+        },
         "notifications.DatabaseNotification": {
             "type": "object",
             "properties": {
@@ -8618,6 +8925,9 @@ const docTemplate = `{
                 },
                 "version": {
                     "type": "string"
+                },
+                "webhooks_enabled": {
+                    "type": "boolean"
                 }
             }
         },
diff --git a/pkg/swagger/swagger.json b/pkg/swagger/swagger.json
index 071f437a0e8..649ca6463e7 100644
--- a/pkg/swagger/swagger.json
+++ b/pkg/swagger/swagger.json
@@ -2417,6 +2417,230 @@
                 }
             }
         },
+        "/projects/{id}/webhooks": {
+            "get": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Get all api webhook targets for the specified project.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Get all api webhook targets for the specified project",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "The page number. Used for pagination. If not provided, the first page of results is returned.",
+                        "name": "page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "The maximum number of items per bucket per page. This parameter is limited by the configured maximum of items per page.",
+                        "name": "per_page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The list of all webhook targets",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/models.Webhook"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal server error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Create a webhook target which recieves POST requests about specified events from a project.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Create a webhook target",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "The webhook target object with required fields",
+                        "name": "webhook",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/models.Webhook"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "The created webhook target.",
+                        "schema": {
+                            "$ref": "#/definitions/models.Webhook"
+                        }
+                    },
+                    "400": {
+                        "description": "Invalid webhook object provided.",
+                        "schema": {
+                            "$ref": "#/definitions/web.HTTPError"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            }
+        },
+        "/projects/{id}/webhooks/{webhookID}": {
+            "post": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Change a webhook target's events. You cannot change other values of a webhook.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Change a webhook target's events.",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Webhook ID",
+                        "name": "webhookID",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Updated webhook target",
+                        "schema": {
+                            "$ref": "#/definitions/models.Webhook"
+                        }
+                    },
+                    "404": {
+                        "description": "The webhok target does not exist",
+                        "schema": {
+                            "$ref": "#/definitions/web.HTTPError"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            },
+            "delete": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Delete any of the project's webhook targets.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Deletes an existing webhook target",
+                "parameters": [
+                    {
+                        "type": "integer",
+                        "description": "Project ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Webhook ID",
+                        "name": "webhookID",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Successfully deleted.",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    },
+                    "404": {
+                        "description": "The webhok target does not exist.",
+                        "schema": {
+                            "$ref": "#/definitions/web.HTTPError"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            }
+        },
         "/projects/{projectID}/buckets/{bucketID}": {
             "post": {
                 "security": [
@@ -5419,19 +5643,19 @@
                 "parameters": [
                     {
                         "type": "integer",
-                        "description": "The page number for tasks. Used for pagination. If not provided, the first page of results is returned.",
+                        "description": "The page number, used for pagination. If not provided, the first page of results is returned.",
                         "name": "page",
                         "in": "query"
                     },
                     {
                         "type": "integer",
-                        "description": "The maximum number of tasks per bucket per page. This parameter is limited by the configured maximum of items per page.",
+                        "description": "The maximum number of tokens per page. This parameter is limited by the configured maximum of items per page.",
                         "name": "per_page",
                         "in": "query"
                     },
                     {
                         "type": "string",
-                        "description": "Search tasks by task text.",
+                        "description": "Search tokens by their title.",
                         "name": "s",
                         "in": "query"
                     }
@@ -6775,6 +6999,43 @@
                 }
             }
         },
+        "/webhooks/events": {
+            "get": {
+                "security": [
+                    {
+                        "JWTKeyAuth": []
+                    }
+                ],
+                "description": "Get all possible webhook events to use when creating or updating a webhook target.",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "webhooks"
+                ],
+                "summary": "Get all possible webhook events",
+                "responses": {
+                    "200": {
+                        "description": "The list of all possible webhook events",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal server error",
+                        "schema": {
+                            "$ref": "#/definitions/models.Message"
+                        }
+                    }
+                }
+            }
+        },
         "/{username}/avatar": {
             "get": {
                 "description": "Returns the user avatar as image.",
@@ -8180,6 +8441,52 @@
                 }
             }
         },
+        "models.Webhook": {
+            "type": "object",
+            "properties": {
+                "created": {
+                    "description": "A timestamp when this webhook target was created. You cannot change this value.",
+                    "type": "string"
+                },
+                "created_by": {
+                    "description": "The user who initially created the webhook target.",
+                    "allOf": [
+                        {
+                            "$ref": "#/definitions/user.User"
+                        }
+                    ]
+                },
+                "events": {
+                    "description": "The webhook events which should fire this webhook target",
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "minLength": 1
+                    }
+                },
+                "id": {
+                    "description": "The generated ID of this webhook target",
+                    "type": "integer"
+                },
+                "project_id": {
+                    "description": "The project ID of the project this webhook target belongs to",
+                    "type": "integer"
+                },
+                "secret": {
+                    "description": "If provided, webhook requests will be signed using HMAC. Check out the docs about how to use this: https://vikunja.io/docs/webhooks/#signing",
+                    "type": "string"
+                },
+                "target_url": {
+                    "description": "The target URL where the POST request with the webhook payload will be made",
+                    "type": "string",
+                    "minLength": 1
+                },
+                "updated": {
+                    "description": "A timestamp when this webhook target was last updated. You cannot change this value.",
+                    "type": "string"
+                }
+            }
+        },
         "notifications.DatabaseNotification": {
             "type": "object",
             "properties": {
@@ -8610,6 +8917,9 @@
                 },
                 "version": {
                     "type": "string"
+                },
+                "webhooks_enabled": {
+                    "type": "boolean"
                 }
             }
         },
diff --git a/pkg/swagger/swagger.yaml b/pkg/swagger/swagger.yaml
index f9f78cead7b..26d0d897d80 100644
--- a/pkg/swagger/swagger.yaml
+++ b/pkg/swagger/swagger.yaml
@@ -1040,6 +1040,42 @@ definitions:
         minLength: 1
         type: string
     type: object
+  models.Webhook:
+    properties:
+      created:
+        description: A timestamp when this webhook target was created. You cannot
+          change this value.
+        type: string
+      created_by:
+        allOf:
+        - $ref: '#/definitions/user.User'
+        description: The user who initially created the webhook target.
+      events:
+        description: The webhook events which should fire this webhook target
+        items:
+          minLength: 1
+          type: string
+        type: array
+      id:
+        description: The generated ID of this webhook target
+        type: integer
+      project_id:
+        description: The project ID of the project this webhook target belongs to
+        type: integer
+      secret:
+        description: 'If provided, webhook requests will be signed using HMAC. Check
+          out the docs about how to use this: https://vikunja.io/docs/webhooks/#signing'
+        type: string
+      target_url:
+        description: The target URL where the POST request with the webhook payload
+          will be made
+        minLength: 1
+        type: string
+      updated:
+        description: A timestamp when this webhook target was last updated. You cannot
+          change this value.
+        type: string
+    type: object
   notifications.DatabaseNotification:
     properties:
       created:
@@ -1352,6 +1388,8 @@ definitions:
         type: boolean
       version:
         type: string
+      webhooks_enabled:
+        type: boolean
     type: object
   web.HTTPError:
     properties:
@@ -3004,6 +3042,154 @@ paths:
       summary: Add a user to a project
       tags:
       - sharing
+  /projects/{id}/webhooks:
+    get:
+      consumes:
+      - application/json
+      description: Get all api webhook targets for the specified project.
+      parameters:
+      - description: The page number. Used for pagination. If not provided, the first
+          page of results is returned.
+        in: query
+        name: page
+        type: integer
+      - description: The maximum number of items per bucket per page. This parameter
+          is limited by the configured maximum of items per page.
+        in: query
+        name: per_page
+        type: integer
+      - description: Project ID
+        in: path
+        name: id
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: The list of all webhook targets
+          schema:
+            items:
+              $ref: '#/definitions/models.Webhook'
+            type: array
+        "500":
+          description: Internal server error
+          schema:
+            $ref: '#/definitions/models.Message'
+      security:
+      - JWTKeyAuth: []
+      summary: Get all api webhook targets for the specified project
+      tags:
+      - webhooks
+    put:
+      consumes:
+      - application/json
+      description: Create a webhook target which recieves POST requests about specified
+        events from a project.
+      parameters:
+      - description: Project ID
+        in: path
+        name: id
+        required: true
+        type: integer
+      - description: The webhook target object with required fields
+        in: body
+        name: webhook
+        required: true
+        schema:
+          $ref: '#/definitions/models.Webhook'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: The created webhook target.
+          schema:
+            $ref: '#/definitions/models.Webhook'
+        "400":
+          description: Invalid webhook object provided.
+          schema:
+            $ref: '#/definitions/web.HTTPError'
+        "500":
+          description: Internal error
+          schema:
+            $ref: '#/definitions/models.Message'
+      security:
+      - JWTKeyAuth: []
+      summary: Create a webhook target
+      tags:
+      - webhooks
+  /projects/{id}/webhooks/{webhookID}:
+    delete:
+      consumes:
+      - application/json
+      description: Delete any of the project's webhook targets.
+      parameters:
+      - description: Project ID
+        in: path
+        name: id
+        required: true
+        type: integer
+      - description: Webhook ID
+        in: path
+        name: webhookID
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: Successfully deleted.
+          schema:
+            $ref: '#/definitions/models.Message'
+        "404":
+          description: The webhok target does not exist.
+          schema:
+            $ref: '#/definitions/web.HTTPError'
+        "500":
+          description: Internal error
+          schema:
+            $ref: '#/definitions/models.Message'
+      security:
+      - JWTKeyAuth: []
+      summary: Deletes an existing webhook target
+      tags:
+      - webhooks
+    post:
+      consumes:
+      - application/json
+      description: Change a webhook target's events. You cannot change other values
+        of a webhook.
+      parameters:
+      - description: Project ID
+        in: path
+        name: id
+        required: true
+        type: integer
+      - description: Webhook ID
+        in: path
+        name: webhookID
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: Updated webhook target
+          schema:
+            $ref: '#/definitions/models.Webhook'
+        "404":
+          description: The webhok target does not exist
+          schema:
+            $ref: '#/definitions/web.HTTPError'
+        "500":
+          description: Internal error
+          schema:
+            $ref: '#/definitions/models.Message'
+      security:
+      - JWTKeyAuth: []
+      summary: Change a webhook target's events.
+      tags:
+      - webhooks
   /projects/{project}/shares:
     get:
       consumes:
@@ -5018,17 +5204,17 @@ paths:
       - application/json
       description: Returns all api tokens the current user has created.
       parameters:
-      - description: The page number for tasks. Used for pagination. If not provided,
-          the first page of results is returned.
+      - description: The page number, used for pagination. If not provided, the first
+          page of results is returned.
         in: query
         name: page
         type: integer
-      - description: The maximum number of tasks per bucket per page. This parameter
-          is limited by the configured maximum of items per page.
+      - description: The maximum number of tokens per page. This parameter is limited
+          by the configured maximum of items per page.
         in: query
         name: per_page
         type: integer
-      - description: Search tasks by task text.
+      - description: Search tokens by their title.
         in: query
         name: s
         type: string
@@ -5901,6 +6087,30 @@ paths:
       summary: Get users
       tags:
       - user
+  /webhooks/events:
+    get:
+      consumes:
+      - application/json
+      description: Get all possible webhook events to use when creating or updating
+        a webhook target.
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: The list of all possible webhook events
+          schema:
+            items:
+              type: string
+            type: array
+        "500":
+          description: Internal server error
+          schema:
+            $ref: '#/definitions/models.Message'
+      security:
+      - JWTKeyAuth: []
+      summary: Get all possible webhook events
+      tags:
+      - webhooks
 securityDefinitions:
   BasicAuth:
     type: basic

From 7a74e491dab14090f57dd272562e6b03ce1acdca Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 20:35:05 +0200
Subject: [PATCH 24/28] fix(webhooks): lint

---
 pkg/migration/20230913202615.go |  3 ++-
 pkg/models/listeners.go         | 12 ++++++------
 pkg/models/webhooks.go          | 15 ++++++++-------
 pkg/routes/api/v1/webhooks.go   |  3 ++-
 4 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/pkg/migration/20230913202615.go b/pkg/migration/20230913202615.go
index 5eceba38d1f..206d4555a2a 100644
--- a/pkg/migration/20230913202615.go
+++ b/pkg/migration/20230913202615.go
@@ -17,8 +17,9 @@
 package migration
 
 import (
-	"src.techknowlogick.com/xormigrate"
 	"time"
+
+	"src.techknowlogick.com/xormigrate"
 	"xorm.io/xorm"
 )
 
diff --git a/pkg/models/listeners.go b/pkg/models/listeners.go
index 397ab51b162..071f78d2048 100644
--- a/pkg/models/listeners.go
+++ b/pkg/models/listeners.go
@@ -648,11 +648,11 @@ func getProjectIDFromAnyEvent(eventPayload map[string]interface{}) int64 {
 	if task, has := eventPayload["task"]; has {
 		t := task.(map[string]interface{})
 		if projectID, has := t["project_id"]; has {
-			switch projectID.(type) {
+			switch v := projectID.(type) {
 			case int64:
-				return projectID.(int64)
+				return v
 			case float64:
-				return int64(projectID.(float64))
+				return int64(v)
 			}
 			return projectID.(int64)
 		}
@@ -661,11 +661,11 @@ func getProjectIDFromAnyEvent(eventPayload map[string]interface{}) int64 {
 	if project, has := eventPayload["project"]; has {
 		t := project.(map[string]interface{})
 		if projectID, has := t["id"]; has {
-			switch projectID.(type) {
+			switch v := projectID.(type) {
 			case int64:
-				return projectID.(int64)
+				return v
 			case float64:
-				return int64(projectID.(float64))
+				return int64(v)
 			}
 			return projectID.(int64)
 		}
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 9dfcd9e347f..87a1dc3fc85 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -18,12 +18,6 @@ package models
 
 import (
 	"bytes"
-	"code.vikunja.io/api/pkg/config"
-	"code.vikunja.io/api/pkg/events"
-	"code.vikunja.io/api/pkg/log"
-	"code.vikunja.io/api/pkg/user"
-	"code.vikunja.io/api/pkg/version"
-	"code.vikunja.io/web"
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
@@ -34,6 +28,13 @@ import (
 	"sort"
 	"sync"
 	"time"
+
+	"code.vikunja.io/api/pkg/config"
+	"code.vikunja.io/api/pkg/events"
+	"code.vikunja.io/api/pkg/log"
+	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/api/pkg/version"
+	"code.vikunja.io/web"
 	"xorm.io/xorm"
 )
 
@@ -99,7 +100,7 @@ func GetAvailableWebhookEvents() []string {
 
 // Create creates a webhook target
 // @Summary Create a webhook target
-// @Description Create a webhook target which recieves POST requests about specified events from a project.
+// @Description Create a webhook target which receives POST requests about specified events from a project.
 // @tags webhooks
 // @Accept json
 // @Produce json
diff --git a/pkg/routes/api/v1/webhooks.go b/pkg/routes/api/v1/webhooks.go
index 7c0a435c0b5..91ec993637b 100644
--- a/pkg/routes/api/v1/webhooks.go
+++ b/pkg/routes/api/v1/webhooks.go
@@ -17,9 +17,10 @@
 package v1
 
 import (
+	"net/http"
+
 	"code.vikunja.io/api/pkg/models"
 	"github.com/labstack/echo/v4"
-	"net/http"
 )
 
 // GetAvailableWebhookEvents returns a list of all possible webhook target events

From b4e3d8ee47a222bb52dbcf8719ba689bd5b5f10a Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 17 Oct 2023 20:40:09 +0200
Subject: [PATCH 25/28] fix(webhooks): lint

---
 pkg/models/webhooks.go | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 87a1dc3fc85..15f45ed7d4e 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -18,6 +18,7 @@ package models
 
 import (
 	"bytes"
+	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
@@ -131,7 +132,7 @@ func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
 // @Success 200 {array} models.Webhook "The list of all webhook targets"
 // @Failure 500 {object} models.Message "Internal server error"
 // @Router /projects/{id}/webhooks [get]
-func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, _ string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
 	p := &Project{ID: w.ProjectID}
 	can, _, err := p.CanRead(s, a)
 	if err != nil {
@@ -171,7 +172,7 @@ func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, search string, page int,
 // @Failure 404 {object} web.HTTPError "The webhok target does not exist"
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /projects/{id}/webhooks/{webhookID} [post]
-func (w *Webhook) Update(s *xorm.Session, a web.Auth) (err error) {
+func (w *Webhook) Update(s *xorm.Session, _ web.Auth) (err error) {
 	// TODO validate webhook events
 	_, err = s.Where("id = ?", w.ID).
 		Cols("events").
@@ -192,7 +193,7 @@ func (w *Webhook) Update(s *xorm.Session, a web.Auth) (err error) {
 // @Failure 404 {object} web.HTTPError "The webhok target does not exist."
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /projects/{id}/webhooks/{webhookID} [delete]
-func (w *Webhook) Delete(s *xorm.Session, a web.Auth) (err error) {
+func (w *Webhook) Delete(s *xorm.Session, _ web.Auth) (err error) {
 	_, err = s.Where("id = ?", w.ID).Delete(&Webhook{})
 	return
 }
@@ -232,7 +233,7 @@ func (w *Webhook) sendWebhookPayload(p *WebhookPayload) (err error) {
 		return err
 	}
 
-	req, err := http.NewRequest(http.MethodPost, w.TargetURL, bytes.NewReader(payload))
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, w.TargetURL, bytes.NewReader(payload))
 	if err != nil {
 		return err
 	}
@@ -250,9 +251,12 @@ func (w *Webhook) sendWebhookPayload(p *WebhookPayload) (err error) {
 	req.Header.Add("User-Agent", "Vikunja/"+version.Version)
 
 	client := getWebhookHTTPClient()
-	_, err = client.Do(req)
-	if err == nil {
-		log.Debugf("Sent webhook payload for webhook %d for event %s", w.ID, p.EventName)
+	res, err := client.Do(req)
+	if err != nil {
+		return err
 	}
+
+	defer res.Body.Close()
+	log.Debugf("Sent webhook payload for webhook %d for event %s", w.ID, p.EventName)
 	return
 }

From 72366a5b27140647eef4694fd9edb952b120ee9c Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 18 Oct 2023 20:06:07 +0200
Subject: [PATCH 26/28] feat(webhooks): add created by user object when
 returning all webhooks

---
 pkg/models/webhooks.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index 15f45ed7d4e..cc8884d437b 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -156,6 +156,21 @@ func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, _ string, page int, perPa
 		return
 	}
 
+	userIDs := []int64{}
+	for _, webhook := range ws {
+		userIDs = append(userIDs, webhook.CreatedByID)
+	}
+
+	users, err := user.GetUsersByIDs(s, userIDs)
+	if err != nil {
+		return nil, 0, 0, err
+	}
+
+	for _, webhook := range ws {
+		webhook.Secret = ""
+		webhook.CreatedBy = users[webhook.CreatedByID]
+	}
+
 	return ws, len(ws), total, err
 }
 

From 61cd08fa13539b9ae625d0dbcdbcc3450b27e650 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 18 Oct 2023 22:18:45 +0200
Subject: [PATCH 27/28] fix(webhooks): add created by user object when creating
 a webhook

---
 pkg/models/webhooks.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index cc8884d437b..b40c94d6a1e 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -116,6 +116,11 @@ func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
 	// TODO: check valid webhook events
 	w.CreatedByID = a.GetID()
 	_, err = s.Insert(w)
+	if err != nil {
+		return err
+	}
+
+	w.CreatedBy, err = user.GetUserByID(s, a.GetID())
 	return
 }
 

From 55d345e2365d954c2c8d0013d246f645ed669ebc Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Fri, 20 Oct 2023 12:42:28 +0200
Subject: [PATCH 28/28] feat(webhooks): validate events and target url

---
 pkg/models/error.go      | 11 +++++++++++
 pkg/models/webhooks.go   | 24 ++++++++++++++++++++----
 pkg/routes/validation.go | 12 +-----------
 3 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/pkg/models/error.go b/pkg/models/error.go
index 73866ad7a87..946bde87f10 100644
--- a/pkg/models/error.go
+++ b/pkg/models/error.go
@@ -110,6 +110,17 @@ func (err ValidationHTTPError) Error() string {
 	return theErr.Error()
 }
 
+func InvalidFieldError(fields []string) error {
+	return ValidationHTTPError{
+		HTTPError: web.HTTPError{
+			HTTPCode: http.StatusPreconditionFailed,
+			Code:     ErrCodeInvalidData,
+			Message:  "Invalid Data",
+		},
+		InvalidFields: fields,
+	}
+}
+
 // ===========
 // Project errors
 // ===========
diff --git a/pkg/models/webhooks.go b/pkg/models/webhooks.go
index b40c94d6a1e..983b2bd41a5 100644
--- a/pkg/models/webhooks.go
+++ b/pkg/models/webhooks.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"net/url"
 	"sort"
+	"strings"
 	"sync"
 	"time"
 
@@ -45,9 +46,9 @@ type Webhook struct {
 	// The generated ID of this webhook target
 	ID int64 `xorm:"bigint autoincr not null unique pk" json:"id" param:"webhook"`
 	// The target URL where the POST request with the webhook payload will be made
-	TargetURL string `xorm:"not null" valid:"minstringlength(1)" minLength:"1" json:"target_url"`
+	TargetURL string `xorm:"not null" valid:"required,url" json:"target_url"`
 	// The webhook events which should fire this webhook target
-	Events []string `xorm:"JSON not null" valid:"minstringlength(1)" minLength:"1" json:"events"`
+	Events []string `xorm:"JSON not null" valid:"required" json:"events"`
 	// The project ID of the project this webhook target belongs to
 	ProjectID int64 `xorm:"bigint not null index" json:"project_id" param:"project"`
 	// If provided, webhook requests will be signed using HMAC. Check out the docs about how to use this: https://vikunja.io/docs/webhooks/#signing
@@ -113,7 +114,17 @@ func GetAvailableWebhookEvents() []string {
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /projects/{id}/webhooks [put]
 func (w *Webhook) Create(s *xorm.Session, a web.Auth) (err error) {
-	// TODO: check valid webhook events
+
+	if !strings.HasPrefix(w.TargetURL, "http") {
+		return InvalidFieldError([]string{"target_url"})
+	}
+
+	for _, event := range w.Events {
+		if _, has := availableWebhookEvents[event]; !has {
+			return InvalidFieldError([]string{"events"})
+		}
+	}
+
 	w.CreatedByID = a.GetID()
 	_, err = s.Insert(w)
 	if err != nil {
@@ -193,7 +204,12 @@ func (w *Webhook) ReadAll(s *xorm.Session, a web.Auth, _ string, page int, perPa
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /projects/{id}/webhooks/{webhookID} [post]
 func (w *Webhook) Update(s *xorm.Session, _ web.Auth) (err error) {
-	// TODO validate webhook events
+	for _, event := range w.Events {
+		if _, has := availableWebhookEvents[event]; !has {
+			return InvalidFieldError([]string{"events"})
+		}
+	}
+
 	_, err = s.Where("id = ?", w.ID).
 		Cols("events").
 		Update(w)
diff --git a/pkg/routes/validation.go b/pkg/routes/validation.go
index 5f01eac39b3..34bba04e698 100644
--- a/pkg/routes/validation.go
+++ b/pkg/routes/validation.go
@@ -17,11 +17,8 @@
 package routes
 
 import (
-	"net/http"
-
 	"code.vikunja.io/api/pkg/models"
 
-	"code.vikunja.io/web"
 	"github.com/asaskevich/govalidator"
 )
 
@@ -43,14 +40,7 @@ func (cv *CustomValidator) Validate(i interface{}) error {
 			errs = append(errs, field+": "+e)
 		}
 
-		return models.ValidationHTTPError{
-			HTTPError: web.HTTPError{
-				HTTPCode: http.StatusPreconditionFailed,
-				Code:     models.ErrCodeInvalidData,
-				Message:  "Invalid Data",
-			},
-			InvalidFields: errs,
-		}
+		return models.InvalidFieldError(errs)
 	}
 	return nil
 }