Fail closed when link-checker-api webhook secret is missing

verify_signature returned silently when the configured webhook
secret was nil, allowing any unsigned POST to mark a
LinkCheckerApiReport as completed. Reply 503 instead so the
callback action never runs without a secret.

Author: TonyGDS

app/controllers/admin/link_checker_api_controller.rb

@@ -18,7 +18,7 @@ def callback
 private
 
   def verify_signature
-    return unless webhook_secret_token
+    return head :service_unavailable unless webhook_secret_token
 
     given_signature = request.headers["X-LinkCheckerApi-Signature"]
     return head :bad_request unless given_signature

test/functional/admin/link_checker_api_controller_test.rb

@@ -37,4 +37,33 @@ def generate_signature(body, key)
 
     assert_response :success
   end
+
+  test "POST :callback returns 503 when the webhook secret is not configured" do
+    Rails.application.credentials.stubs(:link_checker_api_secret_token).returns(nil)
+    LinkCheckerApiReport.any_instance.expects(:mark_report_as_completed).never
+
+    body = link_checker_api_batch_report_hash(id: 5, links: [{ uri: @link, status: "ok" }])
+    post :callback, params: body
+
+    assert_response :service_unavailable
+  end
+
+  test "POST :callback returns 400 when the signature header is missing" do
+    LinkCheckerApiReport.any_instance.expects(:mark_report_as_completed).never
+
+    body = link_checker_api_batch_report_hash(id: 5, links: [{ uri: @link, status: "ok" }])
+    post :callback, params: body
+
+    assert_response :bad_request
+  end
+
+  test "POST :callback returns 400 when the signature does not match the body" do
+    LinkCheckerApiReport.any_instance.expects(:mark_report_as_completed).never
+
+    body = link_checker_api_batch_report_hash(id: 5, links: [{ uri: @link, status: "ok" }])
+    request.headers["X-LinkCheckerApi-Signature"] = generate_signature(body.to_json, "wrong-secret")
+    post :callback, params: body
+
+    assert_response :bad_request
+  end
 end