From a83253da0ea3925ccf32f753ac39d46f86327c66 Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Sun, 5 Apr 2026 15:15:36 +0800
Subject: [PATCH] =?UTF-8?q?fix(gitea-webhook):=20X-Gitea-Signature=20?=
 =?UTF-8?q?=E7=82=BA=E7=B4=94=20hex=EF=BC=8C=E7=84=A1=20sha256=3D=20?=
 =?UTF-8?q?=E5=89=8D=E7=B6=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Gitea 送出的簽章 header 是純 hex digest，不含 "sha256=" 前綴。
修正驗證邏輯兼容兩種格式（sha256= 前綴自動去除，否則直接用）。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/api/src/api/v1/gitea_webhook.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/api/v1/gitea_webhook.py b/apps/api/src/api/v1/gitea_webhook.py
index 39892647..bc0fff9d 100644
--- a/apps/api/src/api/v1/gitea_webhook.py
+++ b/apps/api/src/api/v1/gitea_webhook.py
@@ -169,10 +169,12 @@ async def verify_gitea_signature(
         logger.warning("gitea_signature_missing")
         raise GiteaSignatureError("Missing X-Gitea-Signature header")
 
-    if not x_gitea_signature.startswith("sha256="):
-        raise GiteaSignatureError("Invalid signature format (expected sha256=...)")
-
-    provided_signature = x_gitea_signature[7:]  # 移除 "sha256=" 前綴
+    # Gitea 送出純 hex（無 "sha256=" 前綴），GitHub 才有前綴
+    # 2026-04-05 ogt: 修正 Gitea 實際格式為純 hex
+    if x_gitea_signature.startswith("sha256="):
+        provided_signature = x_gitea_signature[7:]
+    else:
+        provided_signature = x_gitea_signature
 
     body = await request.body()