Skip to content

test(api): cover webhook signature verification#618

Open
pengyuayn wants to merge 1 commit into
privexlabs:mainfrom
pengyuayn:test/verify-webhook-hmac
Open

test(api): cover webhook signature verification#618
pengyuayn wants to merge 1 commit into
privexlabs:mainfrom
pengyuayn:test/verify-webhook-hmac

Conversation

@pengyuayn

Copy link
Copy Markdown

What

Adds unit coverage for verifyWebhook HMAC verification and replay protection paths.

Why

Issue #407 asks for coverage around timing-safe HMAC comparison and signature rejection paths. These tests lock down valid signatures, wrong-secret signatures, flipped-byte signatures, missing/empty signature headers, raw body requirements, pending-secret rotation, and duplicate webhook IDs.

How

  • Mocks the DB app_config secret lookup, Redis replay guard, and logger.
  • Uses signWebhookPayload to generate valid request signatures.
  • Spies on crypto.timingSafeEqual and crypto.createHmac to assert timing-safe comparison is used and malformed requests return before HMAC work.
  • Keeps the test fully isolated from Postgres, Redis, and Express server startup.

Test plan

  • ./node_modules/.bin/vitest run apps/api/src/middleware/__tests__/verify-webhook.test.ts
  • ./node_modules/.bin/prettier --check apps/api/src/middleware/__tests__/verify-webhook.test.ts
  • ./node_modules/.bin/tsc -p apps/api/tsconfig.json --noEmit currently stops on an existing unrelated syntax error in apps/api/src/routes/leaderboard.ts.

Closes #407

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Unit tests for middleware/verify-webhook.ts — timing-safe HMAC comparison

1 participant