Module: database/repositories/webhookTokenRepo

Data-access layer for the webhook_tokens table (ENH-011).

Stores per-project CI/CD trigger tokens. The plaintext token is shown exactly once at creation and never stored — only the SHA-256 hash is persisted. Authentication checks hash the incoming token and compare.

Schema

webhook_tokens(id TEXT PK, projectId TEXT, tokenHash TEXT UNIQUE,
               label TEXT, createdAt TEXT, lastUsedAt TEXT)

Exports

  • create — insert a new hashed token row
  • getByProjectId — list all tokens for a project (no hash)
  • findByHash — look up a token by its SHA-256 hash
  • touch — update lastUsedAt after a successful trigger
  • deleteById — remove a single token
  • deleteByProjectId — remove all tokens for a project (project delete)
Source:

Methods

(static) create(opts) → {void}

Insert a new webhook token row. The caller is responsible for generating the ID (use idGenerator) and hashing the plaintext (use hashToken).

Parameters:
Name Type Description
opts Object
Properties
Name Type Attributes Description
id string

Primary key
projectId string
tokenHash string

SHA-256 hex of the plaintext token
label string <optional>

Optional human label
Source:
Returns:
Type
void

(static) deleteById(id) → {boolean}

Delete a single token by ID.

Parameters:
Name Type Description
id string
Source:
Returns:

true if a row was deleted.

Type
boolean

(static) deleteByProjectId(projectId) → {number}

Delete all tokens for a project (cascade on project delete).

Parameters:
Name Type Description
projectId string
Source:
Returns:

Number of rows deleted.

Type
number

(static) findByHash(hash) → {Object|undefined}

Look up a token row by its SHA-256 hash. Used to authenticate incoming trigger requests. Returns the full row including tokenHash (needed to verify it still matches).

Parameters:
Name Type Description
hash string

64-char hex SHA-256 digest
Source:
Returns:
Type
Object | undefined

(static) generateToken() → {string}

Generate a cryptographically random URL-safe token string. Returns 40 bytes of randomness encoded as hex (80 chars).

Source:
Returns:
Type
string

(static) getByProjectId(projectId) → {Array.<WebhookTokenRow>}

Get all tokens for a project. Returns public fields only — the tokenHash is intentionally omitted so it cannot be accidentally logged or sent to the client.

Parameters:
Name Type Description
projectId string
Source:
Returns:
Type
Array.<WebhookTokenRow>

(static) hashToken(plaintext) → {string}

Hash a plaintext token with SHA-256.

Parameters:
Name Type Description
plaintext string
Source:
Returns:

64-char hex digest

Type
string

(static) touch(id) → {void}

Record a successful use of the token (updates lastUsedAt).

Parameters:
Name Type Description
id string

Token primary key
Source:
Returns:
Type
void

Type Definitions

WebhookTokenRow

Type:
  • Object
Properties:
Name Type Description
id string

Primary key (e.g. "WH-1")
projectId string
label string

Human-readable label (optional)
createdAt string

ISO 8601
lastUsedAt string | null

ISO 8601, null if never used
Source: