Merge branch 'master' into override-url-link

.github/workflows/dep-autoapprove.yml

@@ -0,0 +1,33 @@
+---
+name: Dependabot auto-approve
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot-approve:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'target/goalert'
+    steps:
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          cache: 'yarn'
+      - name: Run make generate
+        run: make generate
+      - uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: Apply make generate changes
+      - name: Approve a PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

app/inithttp.go

@@ -121,43 +121,44 @@ func (app *App) initHTTP(ctx context.Context) error {
 		UserStore:           app.UserStore,
 	})
 
-	mux.Handle("/api/graphql", app.graphql2.Handler())
+	mux.Handle("POST /api/graphql", app.graphql2.Handler())
 
-	mux.HandleFunc("/api/v2/config", app.ConfigStore.ServeConfig)
+	mux.HandleFunc("GET /api/v2/config", app.ConfigStore.ServeConfig)
+	mux.HandleFunc("PUT /api/v2/config", app.ConfigStore.ServeConfig)
 
-	mux.HandleFunc("/api/v2/identity/providers", app.AuthHandler.ServeProviders)
-	mux.HandleFunc("/api/v2/identity/logout", app.AuthHandler.ServeLogout)
+	mux.HandleFunc("GET /api/v2/identity/providers", app.AuthHandler.ServeProviders)
+	mux.HandleFunc("POST /api/v2/identity/logout", app.AuthHandler.ServeLogout)
 
 	basicAuth := app.AuthHandler.IdentityProviderHandler("basic")
-	mux.HandleFunc("/api/v2/identity/providers/basic", basicAuth)
+	mux.HandleFunc("POST /api/v2/identity/providers/basic", basicAuth)
 
 	githubAuth := app.AuthHandler.IdentityProviderHandler("github")
-	mux.HandleFunc("/api/v2/identity/providers/github", githubAuth)
-	mux.HandleFunc("/api/v2/identity/providers/github/callback", githubAuth)
+	mux.HandleFunc("POST /api/v2/identity/providers/github", githubAuth)
+	mux.HandleFunc("GET /api/v2/identity/providers/github/callback", githubAuth)
 
 	oidcAuth := app.AuthHandler.IdentityProviderHandler("oidc")
-	mux.HandleFunc("/api/v2/identity/providers/oidc", oidcAuth)
-	mux.HandleFunc("/api/v2/identity/providers/oidc/callback", oidcAuth)
+	mux.HandleFunc("POST /api/v2/identity/providers/oidc", oidcAuth)
+	mux.HandleFunc("GET /api/v2/identity/providers/oidc/callback", oidcAuth)
 
 	if expflag.ContextHas(ctx, expflag.UnivKeys) {
 		mux.HandleFunc("POST /api/v2/uik", app.UIKHandler.ServeHTTP)
 	}
-	mux.HandleFunc("/api/v2/mailgun/incoming", mailgun.IngressWebhooks(app.AlertStore, app.IntegrationKeyStore))
-	mux.HandleFunc("/api/v2/grafana/incoming", grafana.GrafanaToEventsAPI(app.AlertStore, app.IntegrationKeyStore))
-	mux.HandleFunc("/api/v2/site24x7/incoming", site24x7.Site24x7ToEventsAPI(app.AlertStore, app.IntegrationKeyStore))
-	mux.HandleFunc("/api/v2/prometheusalertmanager/incoming", prometheus.PrometheusAlertmanagerEventsAPI(app.AlertStore, app.IntegrationKeyStore))
+	mux.HandleFunc("POST /api/v2/mailgun/incoming", mailgun.IngressWebhooks(app.AlertStore, app.IntegrationKeyStore))
+	mux.HandleFunc("POST /api/v2/grafana/incoming", grafana.GrafanaToEventsAPI(app.AlertStore, app.IntegrationKeyStore))
+	mux.HandleFunc("POST /api/v2/site24x7/incoming", site24x7.Site24x7ToEventsAPI(app.AlertStore, app.IntegrationKeyStore))
+	mux.HandleFunc("POST /api/v2/prometheusalertmanager/incoming", prometheus.PrometheusAlertmanagerEventsAPI(app.AlertStore, app.IntegrationKeyStore))
 
-	mux.HandleFunc("/api/v2/generic/incoming", generic.ServeCreateAlert)
-	mux.HandleFunc("/api/v2/heartbeat/", generic.ServeHeartbeatCheck)
-	mux.HandleFunc("/api/v2/user-avatar/", generic.ServeUserAvatar)
-	mux.HandleFunc("/api/v2/calendar", app.CalSubStore.ServeICalData)
+	mux.HandleFunc("POST /api/v2/generic/incoming", generic.ServeCreateAlert)
+	mux.HandleFunc("POST /api/v2/heartbeat/{heartbeatID}", generic.ServeHeartbeatCheck)
+	mux.HandleFunc("GET /api/v2/user-avatar/{userID}", generic.ServeUserAvatar)
+	mux.HandleFunc("GET /api/v2/calendar", app.CalSubStore.ServeICalData)
 
-	mux.HandleFunc("/api/v2/twilio/message", app.twilioSMS.ServeMessage)
-	mux.HandleFunc("/api/v2/twilio/message/status", app.twilioSMS.ServeStatusCallback)
-	mux.HandleFunc("/api/v2/twilio/call", app.twilioVoice.ServeCall)
-	mux.HandleFunc("/api/v2/twilio/call/status", app.twilioVoice.ServeStatusCallback)
+	mux.HandleFunc("POST /api/v2/twilio/message", app.twilioSMS.ServeMessage)
+	mux.HandleFunc("POST /api/v2/twilio/message/status", app.twilioSMS.ServeStatusCallback)
+	mux.HandleFunc("POST /api/v2/twilio/call", app.twilioVoice.ServeCall)
+	mux.HandleFunc("POST /api/v2/twilio/call/status", app.twilioVoice.ServeStatusCallback)
 
-	mux.HandleFunc("/api/v2/slack/message-action", app.slackChan.ServeMessageAction)
+	mux.HandleFunc("POST /api/v2/slack/message-action", app.slackChan.ServeMessageAction)
 
 	middleware = append(middleware,
 		httpRewrite(app.cfg.HTTPPrefix, "/v1/graphql2", "/api/graphql"),
@@ -204,20 +205,31 @@ func (app *App) initHTTP(ctx context.Context) error {
 		},
 	)
 
-	mux.HandleFunc("/health", app.healthCheck)
-	mux.HandleFunc("/health/engine", app.engineStatus)
-	mux.HandleFunc("/health/engine/cycle", app.engineCycle)
+	mux.HandleFunc("GET /health", app.healthCheck)
+	mux.HandleFunc("GET /health/engine", app.engineStatus)
+	mux.HandleFunc("GET /health/engine/cycle", app.engineCycle)
+	mux.Handle("GET /health/", http.NotFoundHandler())
 
 	webH, err := web.NewHandler(app.cfg.UIDir, app.cfg.HTTPPrefix)
 	if err != nil {
 		return err
 	}
-	// non-API/404s go to UI handler
-	mux.Handle("/", webH)
 
-	mux.HandleFunc("/admin/riverui/", func(w http.ResponseWriter, r *http.Request) {
+	// This is necessary so that we can return 404 for invalid/unknown API routes, otherwise it will get caught by the UI handler and incorrectly return the index.html or a 405 (Method Not Allowed) error.
+	mux.Handle("GET /api/", http.NotFoundHandler())
+	mux.Handle("POST /api/", http.NotFoundHandler())
+	mux.Handle("GET /v1/", http.NotFoundHandler())
+	mux.Handle("POST /v1/", http.NotFoundHandler())
+
+	// non-API/404s go to UI handler and return index.html
+	mux.Handle("GET /", webH)
+
+	mux.Handle("GET /api/graphql/explore", webH)
+	mux.Handle("GET /api/graphql/explore/", webH)
+
+	mux.HandleFunc("GET /admin/riverui/", func(w http.ResponseWriter, r *http.Request) {
 		err := permission.LimitCheckAny(r.Context(), permission.Admin)
-		if permission.IsUnauthorized(err) && !strings.HasPrefix(r.URL.Path, "/admin/riverui/api") {
+		if permission.IsUnauthorized(err) {
 			// render login since we're on a UI route
 			webH.ServeHTTP(w, r)
 			return
@@ -228,6 +240,14 @@ func (app *App) initHTTP(ctx context.Context) error {
 
 		app.RiverUI.ServeHTTP(w, r)
 	})
+	mux.HandleFunc("POST /admin/riverui/api/", func(w http.ResponseWriter, r *http.Request) {
+		err := permission.LimitCheckAny(r.Context(), permission.Admin)
+		if errutil.HTTPError(r.Context(), w, err) {
+			return
+		}
+
+		app.RiverUI.ServeHTTP(w, r)
+	})
 
 	app.srv = &http.Server{
 		Handler: applyMiddleware(mux, middleware...),

app/lifecycle/manager.go

@@ -197,7 +197,12 @@ func (m *Manager) Run(ctx context.Context) error {
 
 	err := m.runFunc(ctx)
 	close(m.runDone)
-	<-m.shutdownDone
+	s = <-m.status
+	m.status <- s
+	if s == StatusShutdown {
+		<-m.shutdownDone
+	}
+
 	return err
 }
 

calsub/http.go

@@ -77,6 +77,10 @@ func (s *Store) userNameMap(ctx context.Context, shifts []oncall.Shift) (map[str
 func (s *Store) ServeICalData(w http.ResponseWriter, req *http.Request) {
 	ctx := req.Context()
 	src := permission.Source(ctx)
+	if src == nil {
+		http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+		return
+	}
 	cfg := config.FromContext(ctx)
 	if src.Type != permission.SourceTypeCalendarSubscription || cfg.General.DisableCalendarSubscriptions {
 		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)

engine/message/ratelimit.go

@@ -26,8 +26,8 @@ func init() {
 	perCM.
 		WithMsgTypes(notification.MessageTypeScheduleOnCallUsers).
 		AddRules([]ThrottleRule{
-			{Count: 2, Per: 15 * time.Minute},
-			{Count: 4, Per: 1 * time.Hour, Smooth: true},
+			{Count: 3, Per: 1 * time.Minute},
+			{Count: 20, Per: 1 * time.Hour, Smooth: true},
 		})
 
 	// status notifications

genericapi/handler.go

@@ -30,11 +30,8 @@ func NewHandler(c Config) *Handler {
 
 // ServeUserAvatar will serve a redirect for a users avatar image.
 func (h *Handler) ServeUserAvatar(w http.ResponseWriter, req *http.Request) {
-	parts := strings.Split(req.URL.Path, "/")
-	userID := parts[len(parts)-1]
-
 	ctx := req.Context()
-	u, err := h.c.UserStore.FindOne(ctx, userID)
+	u, err := h.c.UserStore.FindOne(ctx, req.PathValue("userID"))
 	if errors.Is(err, sql.ErrNoRows) {
 		http.NotFound(w, req)
 		return
@@ -50,16 +47,8 @@ func (h *Handler) ServeUserAvatar(w http.ResponseWriter, req *http.Request) {
 // ServeHeartbeatCheck serves the heartbeat check-in endpoint.
 func (h *Handler) ServeHeartbeatCheck(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	if r.Method != "POST" {
-		http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
-		return
-	}
-
-	parts := strings.Split(r.URL.Path, "/")
-	monitorID := parts[len(parts)-1]
-
 	err := retry.DoTemporaryError(func(_ int) error {
-		return h.c.HeartbeatStore.RecordHeartbeat(ctx, monitorID)
+		return h.c.HeartbeatStore.RecordHeartbeat(ctx, r.PathValue("heartbeatID"))
 	},
 		retry.Log(ctx),
 		retry.Limit(12),

go.mod

@@ -5,7 +5,7 @@ go 1.23
 toolchain go1.23.3
 
 require (
-	github.com/99designs/gqlgen v0.17.62
+	github.com/99designs/gqlgen v0.17.63
 	github.com/brianvoe/gofakeit/v6 v6.28.0
 	github.com/coreos/go-oidc/v3 v3.12.0
 	github.com/creack/pty/v2 v2.0.1
@@ -28,7 +28,7 @@ require (
 	github.com/lib/pq v1.10.9
 	github.com/matcornic/hermes/v2 v2.1.0
 	github.com/mnako/letters v0.2.3
-	github.com/nyaruka/phonenumbers v1.4.4
+	github.com/nyaruka/phonenumbers v1.5.0
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
 	github.com/pelletier/go-toml/v2 v2.2.3
 	github.com/pkg/errors v0.9.1
@@ -46,20 +46,20 @@ require (
 	github.com/sqlc-dev/pqtype v0.3.0
 	github.com/stretchr/testify v1.10.0
 	github.com/vektah/gqlparser/v2 v2.5.21
-	golang.org/x/crypto v0.31.0
+	golang.org/x/crypto v0.32.0
 	golang.org/x/oauth2 v0.25.0
 	golang.org/x/sys v0.29.0
-	golang.org/x/term v0.27.0
-	golang.org/x/tools v0.28.0
-	google.golang.org/grpc v1.69.2
+	golang.org/x/term v0.28.0
+	golang.org/x/tools v0.29.0
+	google.golang.org/grpc v1.70.0
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
-	google.golang.org/protobuf v1.36.1
+	google.golang.org/protobuf v1.36.4
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	riverqueue.com/riverui v0.7.0
 )
 
 require (
-	cel.dev/expr v0.18.0 // indirect
+	cel.dev/expr v0.19.0 // indirect
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
@@ -148,11 +148,11 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241118233622-e639e219e697 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241202173237-19429a94021a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241202173237-19429a94021a // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect