config updates

olsenben · olsenben · commit 46e0a7935403 · 2025-12-01T17:00:26.000-05:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -36,6 +36,7 @@ jobs:
           )
           
           # Send webhook with secret for authentication
+          # Note: WEBHOOK_URL should point to /api/deploy-website endpoint
           curl -X POST "$WEBHOOK_URL" \
             -H "Content-Type: application/json" \
             -H "X-GitHub-Event: push" \
diff --git a/README.md b/README.md
@@ -88,7 +88,7 @@ This repository uses GitHub Actions with webhook-based deployment. The deploymen
   - **Domain:** `staging.processordb.mit.edu`
   - **Server:** `128.52.141.130`
   - **GitHub Environment:** `staging`
-  - **Webhook Endpoint:** `http://staging.processordb.mit.edu/api/deploy`
+  - **Webhook Endpoint:** `https://staging.processordb.mit.edu/api/deploy-website`
 
 - **Production Environment:**
   - **Branch:** `main`
@@ -111,7 +111,7 @@ To enable automated deployments, you must configure environment-specific secrets
 2. **Configure Staging Environment:**
    - Click on `staging` environment (or create it if it doesn't exist)
    - Add the following secrets:
-     - **`WEBHOOK_URL`:** `https://staging.processordb.mit.edu/api/deploy` (HTTPS enabled)
+     - **`WEBHOOK_URL`:** `https://staging.processordb.mit.edu/api/deploy-website` (HTTPS enabled)
      - **`WEBHOOK_SECRET`:** The secret token that matches `DEPLOY_WEBHOOK_SECRET` in your staging server's `.env` file
    - **Note:** SSL certificate is configured and active. Use `https://` for the webhook URL.
 
@@ -198,7 +198,7 @@ sudo tail -f /var/log/nginx/staging.processordb.mit.edu.access.log
 sudo tail -f /var/log/nginx/staging.processordb.mit.edu.error.log
 
 # Filter for webhook requests only
-sudo tail -f /var/log/nginx/staging.processordb.mit.edu.access.log | grep "/api/deploy"
+sudo tail -f /var/log/nginx/staging.processordb.mit.edu.access.log | grep "/api/deploy-website"
 ```
 
 **Troubleshooting Failed Deployments:**
@@ -230,7 +230,8 @@ The application is served through nginx as a reverse proxy. Configuration files
 - **HTTP:** Port 80 automatically redirects to HTTPS (301 redirect)
 - **Frontend (Nuxt 3):** All requests to `/` are proxied to `http://localhost:3000`
 - **Backend API:** Requests to `/backend/api/` are proxied to `http://localhost:3001/api/`
-- **Webhook:** `/api/deploy` endpoint accessible via HTTPS
+- **Website Webhook:** `/api/deploy-website` endpoint accessible via HTTPS
+- **API Webhook:** `/api/deploy-api` endpoint accessible via HTTPS (proxies to backend API)
 
 **Key Proxy Headers:**
 - `Host`: Preserves original host header
@@ -285,7 +286,8 @@ The staging environment is currently configured with:
 1. **Nginx Configuration:** `/etc/nginx/sites-available/staging.processordb.mit.edu`
    - Frontend proxy: `http://localhost:3000` (Nuxt.js)
    - Backend API proxy: `http://localhost:3001/api/` (via `/backend/api/` path)
-   - Webhook endpoint: `/api/deploy` → `http://localhost:3000` (secured by webhook secret authentication)
+   - Website webhook endpoint: `/api/deploy-website` → `http://localhost:3000` (secured by webhook secret authentication)
+   - API webhook endpoint: `/api/deploy-api` → `http://localhost:3001/api/deploy/webhook` (proxies to backend API)
    - **Access:** Currently **publicly accessible** - no IP restrictions are enabled. All IP restriction directives in nginx config are commented out.
 
 2. **Application Services:**
@@ -299,7 +301,8 @@ The staging environment is currently configured with:
    - PM2 ecosystem config loads `.env` file automatically
 
 4. **Deployment:**
-   - Webhook endpoint: `https://staging.processordb.mit.edu/api/deploy` (HTTPS enabled)
+   - Website webhook endpoint: `https://staging.processordb.mit.edu/api/deploy-website` (HTTPS enabled)
+   - API webhook endpoint: `https://staging.processordb.mit.edu/api/deploy-api` (HTTPS enabled)
    - Deployment script: `~/processordb-website-staging/scripts/deploy.sh`
    - Git credentials: Configured via credential helper
 
@@ -316,7 +319,7 @@ The staging site uses Let's Encrypt SSL certificates managed by certbot for auto
 
 ### Current Status
 
-✅ **SSL is configured and active:**
+**SSL is configured and active:**
 - Certificate obtained and installed
 - HTTP automatically redirects to HTTPS
 - Auto-renewal is enabled via systemd timer
@@ -388,7 +391,7 @@ BACKEND_URL=https://staging.processordb.mit.edu/backend/api
 **GitHub Actions Environment Secrets:**
 Update the `WEBHOOK_URL` in GitHub repository settings:
 - Go to: Repository → Settings → Environments → Staging
-- Update `WEBHOOK_URL` from `http://` to `https://staging.processordb.mit.edu/api/deploy`
+- Update `WEBHOOK_URL` to `https://staging.processordb.mit.edu/api/deploy-website`
 
 **After updating URLs:**
 ```bash
@@ -438,7 +441,7 @@ sudo certbot renew && sudo systemctl reload nginx
 
 To make a subdomain (e.g., staging) only accessible from internal MIT networks, you can restrict access at the nginx level using IP whitelisting by uncommenting and configuring the IP restriction directives.
 
-**Note:** The webhook endpoint (`/api/deploy`) uses secret-based authentication and does not have IP restrictions. This section applies to frontend and backend API access only.
+**Note:** The webhook endpoints (`/api/deploy-website` and `/api/deploy-api`) use secret-based authentication and do not have IP restrictions. This section applies to frontend and backend API access only.
 
 ### Quick Setup for Staging Instance
 
@@ -599,7 +602,7 @@ server {
 }
 ```
 
-**Important:** The webhook endpoint (`/api/deploy`) should **NOT** have IP restrictions enabled, as it uses secret-based authentication and needs to be accessible from GitHub Actions IPs (which change frequently).
+**Important:** The webhook endpoints (`/api/deploy-website` and `/api/deploy-api`) should **NOT** have IP restrictions enabled, as they use secret-based authentication and need to be accessible from GitHub Actions IPs (which change frequently).
 
 ### Implementation Steps
 
@@ -679,6 +682,6 @@ location / {
 - **Error Response:** Users outside MIT networks will see a 403 Forbidden error when restrictions are enabled
 - **VPN Access:** VPN connections to MIT networks will be treated as internal if they use MIT IP ranges
 - **Testing:** Test thoroughly from both internal and external networks before deploying restrictions
-- **Webhook Endpoint:** The `/api/deploy` endpoint does **NOT** use IP restrictions. It relies on secret-based authentication (`X-Webhook-Secret` header) for security. This allows GitHub Actions to trigger deployments from any IP address while maintaining strong security through the webhook secret. **Do not enable IP restrictions on the webhook endpoint.**
+- **Webhook Endpoints:** The `/api/deploy-website` (website) and `/api/deploy-api` (API) endpoints do **NOT** use IP restrictions. They rely on secret-based authentication (`X-Webhook-Secret` header) for security. This allows GitHub Actions to trigger deployments from any IP address while maintaining strong security through the webhook secret. **Do not enable IP restrictions on the webhook endpoints.**
 
 Check out the [deployment documentation](https://nuxt.com/docs/getting-started/deployment) for more information.
diff --git a/server/api/deploy-website.js b/server/api/deploy-website.js

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ jobs:`
`36`	`36`	`)`
`37`	`37`
`38`	`38`	`# Send webhook with secret for authentication`
	`39`	`+ # Note: WEBHOOK_URL should point to /api/deploy-website endpoint`
`39`	`40`	`curl -X POST "$WEBHOOK_URL" \`
`40`	`41`	`-H "Content-Type: application/json" \`
`41`	`42`	`-H "X-GitHub-Event: push" \`