Return 401 for invalid link-checker-api webhook signature

TonyGDS · TonyGDS · commit 2894d702cd8b · 2026-05-22T11:50:42.000+01:00
A correctly-formed request with the wrong signature is an
authentication failure, not a malformed request.
diff --git a/app/controllers/admin/link_checker_api_controller.rb b/app/controllers/admin/link_checker_api_controller.rb
@@ -25,7 +25,12 @@ def verify_signature
 
     body = request.raw_post
     signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), webhook_secret_token, body)
-    head :bad_request unless Rack::Utils.secure_compare(signature, given_signature)
+    return if Rack::Utils.secure_compare(signature, given_signature)
+
+    # Opt out of gds-sso's Warden intercept_401, which would otherwise turn
+    # this response into a redirect to /auth/gds.
+    request.env["warden"].custom_failure!
+    head :unauthorized
   end
 
   def webhook_secret_token
diff --git a/test/functional/admin/link_checker_api_controller_test.rb b/test/functional/admin/link_checker_api_controller_test.rb
@@ -56,14 +56,4 @@ def generate_signature(body, key)
 
     assert_response :bad_request
   end
-
-  test "POST :callback returns 400 when the signature does not match the body" do
-    LinkCheckerApiReport.any_instance.expects(:mark_report_as_completed).never
-
-    body = link_checker_api_batch_report_hash(id: 5, links: [{ uri: @link, status: "ok" }])
-    request.headers["X-LinkCheckerApi-Signature"] = generate_signature(body.to_json, "wrong-secret")
-    post :callback, params: body
-
-    assert_response :bad_request
-  end
 end
diff --git a/test/integration/admin/link_checker_api_callback_test.rb b/test/integration/admin/link_checker_api_callback_test.rb
@@ -0,0 +1,22 @@
+require "test_helper"
+
+class Admin::LinkCheckerApiCallbackTest < ActionDispatch::IntegrationTest
+  test "returns 401 (not a redirect) when the signature is invalid" do
+    post admin_link_checker_api_callback_path,
+         params: { id: 5 }.to_json,
+         headers: {
+           "Content-Type" => "application/json",
+           "X-LinkCheckerApi-Signature" => "invalid",
+         }
+
+    assert_response :unauthorized
+  end
+
+  test "returns 400 when the signature header is missing" do
+    post admin_link_checker_api_callback_path,
+         params: { id: 5 }.to_json,
+         headers: { "Content-Type" => "application/json" }
+
+    assert_response :bad_request
+  end
+end
