Skip to content

Add verifyWebhookSignature helper for signed webhooks#289

Open
roznawsk wants to merge 4 commits into
mainfrom
webhook-signature-verification
Open

Add verifyWebhookSignature helper for signed webhooks#289
roznawsk wants to merge 4 commits into
mainfrom
webhook-signature-verification

Conversation

@roznawsk

Copy link
Copy Markdown
Member

Description

Adds a verifyWebhookSignature(body, signature, secret) helper to @fishjam-cloud/js-server-sdk that verifies the x-fishjam-signature-256 header Fishjam now sends with webhook deliveries (sha256=<lowercase hex HMAC-SHA256 of the raw body>). Uses crypto.timingSafeEqual for a constant-time comparison and accepts both the prefixed header value and bare hex. Exported next to decodeServerNotifications, with tests covering valid, tampered, wrong-secret, and malformed signatures.

Motivation and Context

The Fishjam server now signs webhook notifications with a signing secret. Without an SDK helper, users would hand-roll verification — typically with a timing-attackable === comparison. This ships the one small, correct primitive (same pattern as Stripe/GitHub SDKs).

Documentation impact

  • Documentation update required
  • Documentation updated in another PR
  • No documentation update required

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to
    not work as expected)

Verifies the x-fishjam-signature-256 header (sha256=<hex> HMAC-SHA256 of the raw body) with a constant-time compare.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a public helper to verify signed Fishjam webhook deliveries before decoding protobuf notifications, aligning SDK usage with the server’s new x-fishjam-signature-256 HMAC header.

Changes:

  • Introduces verifyWebhookSignature(body, signature, secret) using HMAC-SHA256 and crypto.timingSafeEqual.
  • Exports the helper from the package entrypoint alongside decodeServerNotifications.
  • Adds Vitest coverage for valid/invalid/malformed signatures and ArrayBuffer bodies.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
packages/js-server-sdk/src/webhook.ts Adds verifyWebhookSignature implementation and API docs next to decodeServerNotifications.
packages/js-server-sdk/src/index.ts Re-exports verifyWebhookSignature from the public SDK surface.
packages/js-server-sdk/tests/webhook.test.ts Adds unit tests covering verification success/failure scenarios and input variants.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/js-server-sdk/src/webhook.ts
Qualify the constant-time claim in verifyWebhookSignature docs: the length check short-circuits, leaking only the (public) expected signature length.
@roznawsk roznawsk requested a review from czerwiukk July 14, 2026 16:53
roznawsk added 2 commits July 15, 2026 08:36
Collapses a manually-wrapped function signature to match the project's printWidth (120).
"undecoded" isn't a recognized word; reword the JSDoc to avoid it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants