Merge pull request #524 from unit-finance/yanivs-webhook-pr

Webhook verify to be more secure

Author: Yaniv-Nimni

resources/webhooks.ts

@@ -42,9 +42,11 @@ export class Webhooks extends BaseResource {
     }
 
     public verify(signature: string, secret: string, payload: any) {
+        const signatureBuffer = Buffer.from(signature, "base64")
         const hmac = crypto.createHmac("sha1", secret)
         hmac.update(JSON.stringify(payload))
-        return hmac.digest("base64") == signature
+
+        return crypto.timingSafeEqual(hmac.digest(), signatureBuffer)
     }
 }
 

tests/webhooks.spec.ts

@@ -22,4 +22,15 @@ describe("Get Webhook Test", () => {
             expect(res.data.type === "webhook").toBeTruthy()
         })
     })
+})
+
+describe("Verify Webhook test", () => {
+    test("verify webhook signature", () => {
+        const signature = "UUNz8ch1Ovjg+ijXUEwlAlWEktU="
+        const secret = "OB2HL5E3B4HJ7IVXRNL4YQKYIQIVJK36ZZLPZEFWZVSDSC7LLFJQ===="
+        const payload = {"data":[{"id":"46306092","type":"application.approved","attributes":{"createdAt":"2025-08-05T06:48:38.957Z","tags":{"key":"another-tag","test":"webhook-tag","number":"111"}},"relationships":{"application":{"data":{"id":"3895367","type":"individualApplication"}},"customer":{"data":{"id":"3310133","type":"individualCustomer"}}}}]}
+
+        const verifyResult = unit.webhooks.verify(signature, secret, payload)
+        expect(verifyResult).toBeTruthy()
+    })
 })