fix: add webhook authentication validation for GitLab and Forgejo providers

[sahu-virendra-1908]

This PR adds authentication validation for GitLab and Forgejo webhook endpoints before processing incoming webhook events.

Previously, GitLab and Forgejo webhook handlers accepted and processed webhook payloads without verifying the authenticity of the request. This could allow unauthorized requests to trigger webhook processing, create or update issue records, and invoke downstream agent workflows.

This change introduces provider-specific webhook authentication checks and rejects invalid requests with HTTP 401 Unauthorized before any event processing occurs.

Related Issue

Fixes #407

Type of Change

• fix
• feat
• docs
• refactor
• perf
• test
• build
• breaking
• chore

Changes Made

GitLab Webhook Validation

Added webhook token validation using the X-Gitlab-Token header.

• Introduced validateGitLabToken()
• Fetches configured webhook secrets from active project webhook configurations
• Uses crypto.timingSafeEqual() for secure comparison
• Rejects requests with missing or invalid tokens

Forgejo Webhook Validation

Added webhook signature validation using the X-Gitea-Signature header.

• Introduced validateForgejoSignature()
• Verifies HMAC-SHA256 signatures against the configured webhook secret
• Uses constant-time comparison to prevent timing attacks
• Rejects requests with invalid signatures before processing

Webhook Processing Protection

Authentication is now enforced before:

• Webhook delivery logging
• Event mapping and processing
• Issue creation/update operations
• Agent wakeup workflows
• Downstream automation execution

Unauthenticated requests now receive:

401 Unauthorized

instead of being processed.

Security Impact

This change mitigates a vulnerability where GitLab and Forgejo webhook endpoints could process unauthenticated requests.

Without validation, a malicious actor could potentially:

• Send forged webhook events
• Trigger unauthorized issue lifecycle changes
• Generate unnecessary agent executions
• Cause excessive resource consumption through repeated webhook submissions

The new validation layer ensures that only requests originating from configured forge providers are accepted.

How Was This Tested?

• Local run
• Unit tests
• Integration tests
• Not tested (explain why)

Notes:

• Verified successful processing with valid authentication headers.
• Verified invalid or missing authentication headers return HTTP 401.
• Confirmed webhook processing does not proceed when validation fails.

CE & Security Check

• Targets GitMesh CE only (no EE code)
• No secrets or credentials committed

Screenshots / Demos (if UI or UX)

N/A – Backend security fix.

Checklist

• Code follows project style
• Self-reviewed
• Tests updated/added where needed

[sahu-virendra-1908]

@Ronit-Raj9 @Parvm1102 @vibhor-5

Please review this PR.

This PR adds authentication validation for GitLab and Forgejo webhook endpoints in server/src/api/forge-webhooks.ts.

Previously, webhook requests from GitLab and Forgejo could be processed without validating provider-specific authentication headers. This could allow unauthenticated webhook payloads to reach event-processing logic and trigger downstream workflows.

Changes included in this PR:

• Added GitLab webhook token validation using X-Gitlab-Token
• Added Forgejo/Gitea HMAC-SHA256 signature validation using X-Gitea-Signature
• Reject invalid webhook requests with 401 Unauthorized
• Prevent unauthenticated webhook events from being processed
• Ensure webhook-driven issue and agent workflows are executed only for authenticated requests

If any improvements, corrections, or additional changes are needed, please let me know and I will update the PR accordingly.