updated webhook verify to be more secure

Yaniv-Nimni · Yaniv-Nimni · commit b57c361b9761 · 2025-08-04T16:28:41.000+03:00
diff --git a/resources/webhooks.ts b/resources/webhooks.ts
@@ -42,9 +42,11 @@ export class Webhooks extends BaseResource {
     }
 
     public verify(signature: string, secret: string, payload: any) {
+        const signatureBuffer = Buffer.from(signature, "base64")
         const hmac = crypto.createHmac("sha1", secret)
         hmac.update(JSON.stringify(payload))
-        return hmac.digest("base64") == signature
+
+        return crypto.timingSafeEqual(hmac.digest(), signatureBuffer)
     }
 }
 
diff --git a/tests/webhooks.spec.ts b/tests/webhooks.spec.ts
@@ -22,4 +22,15 @@ describe("Get Webhook Test", () => {
             expect(res.data.type === "webhook").toBeTruthy()
         })
     })
+})
+
+describe("Verify Webhook test", () => {
+    test("verify webhook signature", () => {
+        const signature = "TzmTqUPhGiyHfKcpYoXePi/EVf0="
+        const secret = "QK89mgP2v9KPGXVRp92IfYtHpbzrLpsjMp6sfWOPasQ="
+        const payload = {"data":[{"id":"24","type":"application.created","attributes":{"createdAt":"2025-08-04T13:12:33.887Z","tags":{"key":"another-tag","test":"webhook-tag","number":"111"}},"relationships":{"application":{"data":{"id":"10006","type":"individualApplication"}}}}],"included":[{"id":"10006","type":"individualApplication","attributes":{"ssn":"663885441","tags":{"key":"another-tag","test":"webhook-tag","number":"111"},"email":"cheryl.mercado@mymail.com","phone":{"number":"3476042441","countryCode":"1"},"status":"New","address":{"city":"Cedar Falls","state":"IA","street":"26 Cardinal Dr.","country":"US","postalCode":"50613"},"message":"Pre created application","archived":false,"fullName":{"last":"Mercado","first":"Cheryl"},"createdAt":"2025-08-04T13:12:33.887Z","maskedSSN":"*****5441","occupation":"Doctor","dateOfBirth":"1946-04-11","evaluationId":null,"decisionMethod":null,"decisionReason":null,"decisionUserId":null,"evaluationCodes":null,"evaluationScores":null,"evaluationOutcome":null,"evaluationEntityId":null,"soleProprietorship":false},"relationships":{"org":{"data":{"id":"2","type":"org"}}}}]}
+
+        const verifyResult = unit.webhooks.verify(signature, secret, payload)
+        expect(verifyResult).toBeTruthy()
+    })
 })

Original file line number	Diff line number	Diff line change
`@@ -42,9 +42,11 @@ export class Webhooks extends BaseResource {`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`public verify(signature: string, secret: string, payload: any) {`
	`45`	`+ const signatureBuffer = Buffer.from(signature, "base64")`
`45`	`46`	`const hmac = crypto.createHmac("sha1", secret)`
`46`	`47`	`hmac.update(JSON.stringify(payload))`
`47`		`- return hmac.digest("base64") == signature`
	`48`	`+`
	`49`	`+ return crypto.timingSafeEqual(hmac.digest(), signatureBuffer)`
`48`	`50`	`}`
`49`	`51`	`}`
`50`	`52`