From cbfddb254d4e5d78f8836520f49cd238eed80cea Mon Sep 17 00:00:00 2001
From: Javier Blanco <javierblancodetorres@gmail.com>
Date: Thu, 30 Apr 2026 10:50:35 +0700
Subject: [PATCH] protect secret

---
 deploy-secret.php |  2 ++
 deploy.php        | 48 +++++++++++++++++++++++------------------------
 2 files changed, 26 insertions(+), 24 deletions(-)
 create mode 100644 deploy-secret.php

diff --git a/deploy-secret.php b/deploy-secret.php
new file mode 100644
index 0000000..1f9172c
--- /dev/null
+++ b/deploy-secret.php
@@ -0,0 +1,2 @@
+<?php
+return 'jX25kNTa@K1e4;jX25kNTa@K1e4;jX25kNTa@K1e4;';
\ No newline at end of file
diff --git a/deploy.php b/deploy.php
index abae49b..98a5a54 100644
--- a/deploy.php
+++ b/deploy.php
@@ -1,23 +1,12 @@
 <?php
 declare(strict_types=1);
 
-/*
- * deploy.php
- * Webhook receptor para Gitea -> cPanel
- *
- * Cambia SOLO estos valores:
- */
-const WEBHOOK_SECRET = 'jX25kNTa@K1e4;jX25kNTa@K1e4;jX25kNTa@K1e4;';
+const SECRET_FILE = '/home/javi/.deploy-secret.php';
 const ALLOWED_BRANCH = 'master';
 const REPO_PATH = '/home/javi/hello-world.ai1.ovh';
 const GIT_BIN = '/usr/bin/git';
 const LOG_FILE = __DIR__ . '/deploy.log';
 
-/*
- * Si tu repo NO está en /home/javi/repositories/hello-world,
- * pon aquí la ruta exacta del repo gestionado por cPanel.
- */
-
 function respond(int $code, string $message): void {
     http_response_code($code);
     header('Content-Type: text/plain; charset=utf-8');
@@ -39,6 +28,17 @@ if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     respond(405, 'Method Not Allowed');
 }
 
+if (!file_exists(SECRET_FILE)) {
+    log_line('ERROR: No existe SECRET_FILE: ' . SECRET_FILE);
+    respond(500, 'Secret file not found');
+}
+
+$secret = require SECRET_FILE;
+if (!$secret || !is_string($secret)) {
+    log_line('ERROR: SECRET_FILE inválido');
+    respond(500, 'Secret file error');
+}
+
 $contentType = $_SERVER['CONTENT_TYPE'] ?? '';
 if (stripos($contentType, 'application/json') === false) {
     log_line('ERROR: Content-Type inválido: ' . $contentType);
@@ -57,13 +57,9 @@ if (!$signatureHeader) {
     respond(403, 'Missing signature');
 }
 
-/*
- * Compatibilidad:
- * - algunos ejemplos usan solo el hash
- * - otros usan "sha256=HASH"
- */
-$expected = hash_hmac('sha256', $payload, WEBHOOK_SECRET);
+$expected = hash_hmac('sha256', $payload, $secret);
 $provided = trim($signatureHeader);
+
 if (stripos($provided, 'sha256=') === 0) {
     $provided = substr($provided, 7);
 }
@@ -98,11 +94,10 @@ if (!is_dir(REPO_PATH)) {
 }
 
 $commands = [
-    'cd ' . escapeshellarg(REPO_PATH),
-    GIT_BIN . ' rev-parse --is-inside-work-tree',
-    GIT_BIN . ' fetch origin',
-    GIT_BIN . ' checkout ' . escapeshellarg(ALLOWED_BRANCH),
-    GIT_BIN . ' pull origin ' . escapeshellarg(ALLOWED_BRANCH) . ' 2>&1',
+    'cd ' . escapeshellarg(REPO_PATH) . ' && ' . GIT_BIN . ' rev-parse --is-inside-work-tree 2>&1',
+    'cd ' . escapeshellarg(REPO_PATH) . ' && ' . GIT_BIN . ' fetch origin 2>&1',
+    'cd ' . escapeshellarg(REPO_PATH) . ' && ' . GIT_BIN . ' checkout ' . escapeshellarg(ALLOWED_BRANCH) . ' 2>&1',
+    'cd ' . escapeshellarg(REPO_PATH) . ' && ' . GIT_BIN . ' pull origin ' . escapeshellarg(ALLOWED_BRANCH) . ' 2>&1',
 ];
 
 $outputAll = [];
@@ -112,6 +107,7 @@ foreach ($commands as $cmd) {
     $output = [];
     $cmdReturn = 0;
     exec($cmd, $output, $cmdReturn);
+
     $outputAll[] = '$ ' . $cmd;
     $outputAll[] = implode("\n", $output);
     $outputAll[] = 'exit_code=' . $cmdReturn;
@@ -122,7 +118,11 @@ foreach ($commands as $cmd) {
     }
 }
 
-$logBlock = "Webhook OK | event=push | ref={$ref}\n" . implode("\n", $outputAll) . "\n---";
+$after = $data['after'] ?? '';
+$pusher = $data['pusher']['login'] ?? ($data['sender']['login'] ?? 'unknown');
+
+$logBlock = "Webhook OK | event=push | ref={$ref} | after={$after} | pusher={$pusher}\n" .
+            implode("\n", $outputAll) . "\n---";
 log_line($logBlock);
 
 if ($returnCode !== 0) {