7 files changed, 31 insertions, 22 deletions

diff --git a/mod/mod-ci-github-gh.cxx b/mod/mod-ci-github-gh.cxx
index 2e886ac..42afe1b 100644
--- a/mod/mod-ci-github-gh.cxx
+++ b/mod/mod-ci-github-gh.cxx
@@ -211,9 +211,9 @@ namespace brep
             // one can be null. It's unclear under what circumstances, but it
             // shouldn't happen unless something is broken.
             //
-            string* v (p.next_expect_number_null ());
+            optional<uint64_t> v (p.next_expect_number_null<uint64_t> ());
 
-            if (v == nullptr)
+            if (!v)
               throw_json (p, "check_suite.app.id is null");
 
             app_id = *v;
@@ -310,7 +310,7 @@ namespace brep
         //
         while (p.next_expect (event::name, event::end_object))
         {
-          if (c (ai, "id")) app_id = p.next_expect_number ();
+          if (c (ai, "id")) app_id = p.next_expect_number<uint64_t> ();
           else p.next_expect_value_skip ();
         }
 
diff --git a/mod/mod-ci-github-gh.hxx b/mod/mod-ci-github-gh.hxx
index 91f5bfe..5f6e5b7 100644
--- a/mod/mod-ci-github-gh.hxx
+++ b/mod/mod-ci-github-gh.hxx
@@ -66,7 +66,7 @@ namespace brep
     size_t check_runs_count;
     optional<string> conclusion;
 
-    string app_id;
+    uint64_t app_id;
 
     explicit
     gh_check_suite_ex (json::parser&);
@@ -97,7 +97,7 @@ namespace brep
     string details_url;
     gh_check_suite check_suite;
 
-    string app_id;
+    uint64_t app_id;
 
     explicit
     gh_check_run_ex (json::parser&);
@@ -129,7 +129,7 @@ namespace brep
     // simplicity we emulate check_suite and check_run by storing the app-id
     // webhook query parameter here.
     //
-    string app_id;
+    uint64_t app_id;
 
     explicit
     gh_pull_request (json::parser&);
@@ -256,7 +256,7 @@ namespace brep
     // emulate check_suite and check_run by storing the app-id webhook query
     // parameter here.
     //
-    string app_id;
+    uint64_t app_id;
 
     explicit
     gh_push_event (json::parser&);
diff --git a/mod/mod-ci-github-service-data.cxx b/mod/mod-ci-github-service-data.cxx
index c51f791..aa2e619 100644
--- a/mod/mod-ci-github-service-data.cxx
+++ b/mod/mod-ci-github-service-data.cxx
@@ -54,7 +54,7 @@ namespace brep
     p.next_expect_name ("installation_access");
     installation_access = gh_installation_access_token (p);
 
-    app_id = p.next_expect_member_string ("app_id");
+    app_id = p.next_expect_member_number<uint64_t> ("app_id");
     installation_id = p.next_expect_member_string ("installation_id");
 
     repository_node_id = p.next_expect_member_string ("repository_node_id");
@@ -143,7 +143,7 @@ namespace brep
   service_data (bool ws,
                 string iat_tok,
                 timestamp iat_ea,
-                string aid,
+                uint64_t aid,
                 string iid,
                 string rid,
                 string rcu,
@@ -155,7 +155,7 @@ namespace brep
       : kind (k), pre_check (pc), re_request (rr),
         warning_success (ws),
         installation_access (move (iat_tok), iat_ea),
-        app_id (move (aid)),
+        app_id (aid),
         installation_id (move (iid)),
         repository_node_id (move (rid)),
         repository_clone_url (move (rcu)),
@@ -171,7 +171,7 @@ namespace brep
   service_data (bool ws,
                 string iat_tok,
                 timestamp iat_ea,
-                string aid,
+                uint64_t aid,
                 string iid,
                 string rid,
                 string rcu,
@@ -185,7 +185,7 @@ namespace brep
       : kind (k), pre_check (pc), re_request (rr),
         warning_success (ws),
         installation_access (move (iat_tok), iat_ea),
-        app_id (move (aid)),
+        app_id (aid),
         installation_id (move (iid)),
         repository_node_id (move (rid)),
         repository_clone_url (move (rcu)),
diff --git a/mod/mod-ci-github-service-data.hxx b/mod/mod-ci-github-service-data.hxx
index 5d36696..3e9a58e 100644
--- a/mod/mod-ci-github-service-data.hxx
+++ b/mod/mod-ci-github-service-data.hxx
@@ -96,7 +96,7 @@ namespace brep
     //
     gh_installation_access_token installation_access;
 
-    string app_id;
+    uint64_t app_id;
     string installation_id;
 
     string repository_node_id; // GitHub-internal opaque repository id.
@@ -159,7 +159,7 @@ namespace brep
     service_data (bool warning_success,
                   string iat_token,
                   timestamp iat_expires_at,
-                  string app_id,
+                  uint64_t app_id,
                   string installation_id,
                   string repository_node_id,
                   string repository_clone_url,
@@ -174,7 +174,7 @@ namespace brep
     service_data (bool warning_success,
                   string iat_token,
                   timestamp iat_expires_at,
-                  string app_id,
+                  uint64_t app_id,
                   string installation_id,
                   string repository_node_id,
                   string repository_clone_url,
diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx
index b71e85c..3d3fe7c 100644
--- a/mod/mod-ci-github.cxx
+++ b/mod/mod-ci-github.cxx
@@ -261,7 +261,7 @@ namespace brep
 
     // Process the `app-id` and `warning` webhook request query parameters.
     //
-    string app_id;
+    uint64_t app_id;
     bool warning_success;
     {
       const name_values& rps (rq.parameters (1024, true /* url_only */));
@@ -281,7 +281,16 @@ namespace brep
             badreq ("missing 'app-id' webhook query parameter value");
 
           ai = true;
-          app_id = *rp.value;
+
+          // Parse the app id value.
+          //
+          char* e (nullptr);
+          app_id = strtoull (rp.value->c_str (), &e, 10);
+          if (app_id == 0 || app_id == ULLONG_MAX || *e != '\0')
+          {
+            badreq ("invalid 'app-id' webhook query parameter value: '" +
+                    *rp.value + '\'');
+          }
         }
         else if (rp.name == "warning")
         {
@@ -3295,7 +3304,7 @@ namespace brep
   }
 
   optional<string> ci_github::
-  generate_jwt (const string& app_id,
+  generate_jwt (uint64_t app_id,
                 const basic_mark& trace,
                 const basic_mark& error) const
   {
@@ -3304,7 +3313,7 @@ namespace brep
     {
       // Look up the private key path for the app id and fail if not found.
       //
-      const map<string, dir_path>& pks (
+      const map<uint64_t, dir_path>& pks (
         options_->ci_github_app_id_private_key ());
 
       auto pk (pks.find (app_id));
@@ -3320,7 +3329,7 @@ namespace brep
       //
       jwt = brep::generate_jwt (
           *options_,
-          pk->second, app_id,
+          pk->second, to_string (app_id),
           chrono::seconds (options_->ci_github_jwt_validity_period ()),
           chrono::seconds (60));
 
diff --git a/mod/mod-ci-github.hxx b/mod/mod-ci-github.hxx
index 4cedc94..0c90bb1 100644
--- a/mod/mod-ci-github.hxx
+++ b/mod/mod-ci-github.hxx
@@ -139,7 +139,7 @@ namespace brep
     details_url (const string& tenant) const;
 
     optional<string>
-    generate_jwt (const string& app_id,
+    generate_jwt (uint64_t app_id,
                   const basic_mark& trace,
                   const basic_mark& error) const;
 
diff --git a/mod/module.cli b/mod/module.cli
index ba2b986..57a5f31 100644
--- a/mod/module.cli
+++ b/mod/module.cli
@@ -858,7 +858,7 @@ namespace brep
          Note: make sure to choose a strong (random) secret."
       }
 
-      std::map<string, dir_path> ci-github-app-id-private-key
+      std::map<uint64_t, dir_path> ci-github-app-id-private-key
       {
         "<id>=<path>",
         "The private key used during GitHub API authentication for the