support provider-accurate X webhook signatures

test/app.test.js

@@ -3,7 +3,7 @@
 const test = require("node:test");
 const assert = require("node:assert/strict");
 const { buildApp } = require("../src/app");
-const { hmacSHA256Hex } = require("../src/lib/signature");
+const { hmacSHA256Hex, hmacSHA256Base64 } = require("../src/lib/signature");
 
 function getTestCookieValue(cookieHeader, name) {
   const parts = String(cookieHeader || "").split(";").map((part) => part.trim());
@@ -698,6 +698,33 @@ test("X webhook invalid signature is rejected", async () => {
   assert.equal(response.status, 401);
 });
 
+test("X webhook accepts x-twitter-webhooks-signature header", async () => {
+  const app = createApp();
+  await postJSONWebhook(app, "/api/webhooks/polar", { userId: "u1", credits: 4, eventId: "evt-twitter-sig" }, "polar-secret");
+
+  const payload = {
+    mentionPostId: "m-twitter-header",
+    callerUserId: "u1",
+    parentPost: {
+      id: "p1",
+      authorId: "author",
+      article: { id: "a1", title: "T", body: "body text" },
+    },
+  };
+  const rawBody = JSON.stringify(payload);
+  const signature = hmacSHA256Base64(rawBody, "x-secret");
+
+  const response = await call(app, {
+    method: "POST",
+    path: "/api/webhooks/x",
+    headers: { "x-twitter-webhooks-signature": `sha256=${signature}` },
+    body: rawBody,
+  });
+
+  assert.equal(response.status, 200);
+  assert.equal(JSON.parse(response.body).status, "completed");
+});
+
 test("X webhook valid flow processes article", async () => {
   const app = createApp();