Return 401 for invalid link-checker-api webhook signature

TonyGDS · TonyGDS · commit 4989970730b9 · 2026-05-21T16:47:44.000+01:00
A correctly-formed request with the wrong signature is an
authentication failure, not a malformed request.
diff --git a/app/controllers/admin/link_checker_api_controller.rb b/app/controllers/admin/link_checker_api_controller.rb
@@ -25,7 +25,7 @@ def verify_signature
 
     body = request.raw_post
     signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha1"), webhook_secret_token, body)
-    head :bad_request unless Rack::Utils.secure_compare(signature, given_signature)
+    head :unauthorized unless Rack::Utils.secure_compare(signature, given_signature)
   end
 
   def webhook_secret_token
diff --git a/test/functional/admin/link_checker_api_controller_test.rb b/test/functional/admin/link_checker_api_controller_test.rb
@@ -57,13 +57,13 @@ def generate_signature(body, key)
     assert_response :bad_request
   end
 
-  test "POST :callback returns 400 when the signature does not match the body" do
+  test "POST :callback returns 401 when the signature does not match the body" do
     LinkCheckerApiReport.any_instance.expects(:mark_report_as_completed).never
 
     body = link_checker_api_batch_report_hash(id: 5, links: [{ uri: @link, status: "ok" }])
     request.headers["X-LinkCheckerApi-Signature"] = generate_signature(body.to_json, "wrong-secret")
     post :callback, params: body
 
-    assert_response :bad_request
+    assert_response :unauthorized
   end
 end
