feat: add HMAC webhook signature verification utilities

2026-02-18 12:33:58 +00:00
parent 3c0584a057
commit 53e0daecaf
2 changed files with 73 additions and 0 deletions
--- a/src/lib/signature.js
+++ b/src/lib/signature.js
@@ -0,0 +1,40 @@
+"use strict";
+
+const crypto = require("node:crypto");
+
+function hmacSHA256Hex(payload, secret) {
+  return crypto
+    .createHmac("sha256", secret)
+    .update(payload, "utf8")
+    .digest("hex");
+}
+
+function verifySignature({ payload, secret, signature }) {
+  if (!secret) {
+    throw new Error("webhook_secret_required");
+  }
+
+  if (!signature) {
+    return false;
+  }
+
+  const normalized = signature.startsWith("sha256=")
+    ? signature.slice("sha256=".length)
+    : signature;
+
+  const expected = hmacSHA256Hex(payload, secret);
+
+  const expectedBuf = Buffer.from(expected, "hex");
+  const givenBuf = Buffer.from(normalized, "hex");
+
+  if (expectedBuf.length !== givenBuf.length) {
+    return false;
+  }
+
+  return crypto.timingSafeEqual(expectedBuf, givenBuf);
+}
+
+module.exports = {
+  hmacSHA256Hex,
+  verifySignature,
+};