Skip to content

Harden console Slack webhook config #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
firstedition0123 wants to merge 3 commits into
base: master
Choose a base branch
from
+65 −1
Open

Harden console Slack webhook config #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3aba596
Remove console Slack webhook from source control
firstedition0123 May 15, 2026
6f06854
Address console Slack checker review warning
firstedition0123 May 15, 2026
8a88298
Make console Slack checker formatting tolerant
firstedition0123 May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion console/config/main.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@
require(__DIR__ . '/params-local.php')
);

$consoleSlackWebhookUrl = getenv('CONSOLE_SLACK_WEBHOOK_URL');
if (!$consoleSlackWebhookUrl) {
$consoleSlackWebhookUrl = getenv('SLACK_WEBHOOK_URL') ?: '';
}

return [
'id' => 'app-console',
'basePath' => dirname(__DIR__),
Expand All @@ -26,7 +31,7 @@

'slack' => [
'class' => 'understeam\slack\Client',
'url' => 'https://hooks.slack.com/services/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',
'url' => $consoleSlackWebhookUrl,
'username' => 'StudentHub',
],
'log' => [
Expand Down
18 changes: 18 additions & 0 deletions docs/console-slack-env.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Console Slack Webhook Configuration

The console app reads Slack webhook URLs from runtime environment variables instead of storing a webhook in `console/config/main.php`.

## Variables

- `CONSOLE_SLACK_WEBHOOK_URL`: Optional console-specific Slack incoming webhook URL.
- `SLACK_WEBHOOK_URL`: Shared fallback webhook URL used when `CONSOLE_SLACK_WEBHOOK_URL` is not set.

Store these values in the deployment secret manager or in local environment files that are excluded from source control. Do not commit full Slack webhook URLs.

## Regression Check

Run the console Slack hardening check before opening config changes:

```bash
python scripts/check-console-slack-hardening.py
```
41 changes: 41 additions & 0 deletions scripts/check-console-slack-hardening.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/usr/bin/env python3
"""Validate that console Slack webhook config stays environment-backed."""

import re
from pathlib import Path


ROOT = Path(__file__).resolve().parents[1]
CONSOLE_CONFIG = ROOT / "console" / "config" / "main.php"


def main() -> int:
"""Return a non-zero exit code when console Slack hardening regresses."""

text = CONSOLE_CONFIG.read_text(encoding="utf-8")
failures = []

if "hooks.slack.com/services" in text:
failures.append("console/config/main.php still contains a Slack webhook URL")

if "CONSOLE_SLACK_WEBHOOK_URL" not in text:
failures.append("console/config/main.php does not read CONSOLE_SLACK_WEBHOOK_URL")

if "SLACK_WEBHOOK_URL" not in text:
failures.append("console/config/main.php does not include the shared SLACK_WEBHOOK_URL fallback")

if not re.search(r"['\"]url['\"]\s*=>\s*\$consoleSlackWebhookUrl\b", text):
failures.append("console/config/main.php does not wire the Slack client URL through the env-backed value")

if failures:
print("Console Slack webhook hardening check failed:")
for failure in failures:
print(f"- {failure}")
return 1

print("Console Slack webhook hardening check passed.")
return 0


if __name__ == "__main__":
raise SystemExit(main())