Skip to content

Add webhook HMAC signature verification, nonce replay protection, and…#642

Open
uboho-prog wants to merge 1 commit into
Smartdevs17:mainfrom
uboho-prog:webhook/callback
Open

Add webhook HMAC signature verification, nonce replay protection, and…#642
uboho-prog wants to merge 1 commit into
Smartdevs17:mainfrom
uboho-prog:webhook/callback

Conversation

@uboho-prog

@uboho-prog uboho-prog commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

… key rotation support

Pull Request Checklist

Quality Gates (All must pass before merge)

  • Lint: Code passes ESLint and Prettier checks
  • Type Check: TypeScript compilation succeeds
  • Tests: All tests pass
  • Build: Project builds successfully
  • Rust Format: Smart contract formatting is correct
  • Rust Clippy: Smart contract linting passes
  • Rust Tests: All smart contract tests pass
  • Rust Build: Smart contracts compile successfully

Additional Requirements

  • New code has appropriate TypeScript types
  • No hardcoded secrets or credentials
  • New features have corresponding tests
  • Documentation updated if needed

Reviewers

  • At least 1 approval required for merge
  • All CI checks must be green

This PR will not be mergeable until all quality gates pass.

close #605

Summary

This PR adds cryptographic verification and replay protection for incoming webhook callbacks.

What changed

  • Added SignatureService to generate and verify HMAC-SHA256 webhook signatures
  • Implemented timestamp tolerance and clock skew handling
  • Added nonce replay protection with Redis-backed cache and in-memory fallback
  • Added key rotation support with current/previous active keys
  • Added Express middleware to auto-verify webhook requests
  • Added a signature key management controller for inspection and rotation
  • Added unit tests for signature generation, replay detection, timestamp tolerance, and key rotation

Acceptance criteria addressed

  • Signature format: X-Signature: t=1678901234,s=base64sig,v=1,n=random_nonce
  • HMAC-SHA256 over timestamp + '.' + body
  • Timestamp tolerance default 5 minutes
  • Clock skew tolerance default 30 seconds
  • Nonce tracking with 10-minute TTL
  • Replay detection via nonce cache
  • Key rotation with two active keys
  • Middleware enforcement for webhook endpoints

Testing

  1. Install dependencies: 
    npm install

@drips-wave

drips-wave Bot commented Jun 24, 2026

Copy link
Copy Markdown

@uboho-prog Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement request signing and replay protection for webhook callbacks

1 participant

@uboho-prog