Add verifyWebhookSignature helper for signed webhooks#289
Open
roznawsk wants to merge 4 commits into
Open
Conversation
Verifies the x-fishjam-signature-256 header (sha256=<hex> HMAC-SHA256 of the raw body) with a constant-time compare.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a public helper to verify signed Fishjam webhook deliveries before decoding protobuf notifications, aligning SDK usage with the server’s new x-fishjam-signature-256 HMAC header.
Changes:
- Introduces
verifyWebhookSignature(body, signature, secret)using HMAC-SHA256 andcrypto.timingSafeEqual. - Exports the helper from the package entrypoint alongside
decodeServerNotifications. - Adds Vitest coverage for valid/invalid/malformed signatures and ArrayBuffer bodies.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/js-server-sdk/src/webhook.ts | Adds verifyWebhookSignature implementation and API docs next to decodeServerNotifications. |
| packages/js-server-sdk/src/index.ts | Re-exports verifyWebhookSignature from the public SDK surface. |
| packages/js-server-sdk/tests/webhook.test.ts | Adds unit tests covering verification success/failure scenarios and input variants. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Qualify the constant-time claim in verifyWebhookSignature docs: the length check short-circuits, leaking only the (public) expected signature length.
Collapses a manually-wrapped function signature to match the project's printWidth (120).
"undecoded" isn't a recognized word; reword the JSDoc to avoid it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a
verifyWebhookSignature(body, signature, secret)helper to@fishjam-cloud/js-server-sdkthat verifies thex-fishjam-signature-256header Fishjam now sends with webhook deliveries (sha256=<lowercase hex HMAC-SHA256 of the raw body>). Usescrypto.timingSafeEqualfor a constant-time comparison and accepts both the prefixed header value and bare hex. Exported next todecodeServerNotifications, with tests covering valid, tampered, wrong-secret, and malformed signatures.Motivation and Context
The Fishjam server now signs webhook notifications with a signing secret. Without an SDK helper, users would hand-roll verification — typically with a timing-attackable
===comparison. This ships the one small, correct primitive (same pattern as Stripe/GitHub SDKs).Documentation impact
Types of changes
not work as expected)