Skip to content

feat(webhook-callbacks): add support for verifying http request signatures #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 1, 2025
Merged

feat(webhook-callbacks): add support for verifying http request signatures #144

merged 9 commits into from
Oct 1, 2025

Conversation

hamzamahmood
Copy link
Collaborator

Why

To ensure secure handling of incoming webhook and callback requests, we need to validate their authenticity. Without signature verification, there is a risk of processing spoofed or tampered requests. Adding a standard verification mechanism also makes it easier to plug in custom verification strategies as needed.

What

  • IHttpRequstData interface added to handle asp.net and asp.netcore requests
  • Introduced ISignatureVerifier contract to enable pluggable custom verification implementations.
  • Added configurable HMAC signature verification as the default implementation.
  • Implemented DigestCodec with support for Hex, Base64, and Base64Url encodings.
  • Added unit tests to validate the correctness of signature verification.

Type of change

Select multiple if applicable.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause a breaking change)
  • Tests (adds or updates tests)
  • Documentation (adds or updates documentation)
  • Refactor (style improvements, performance improvements, code refactoring)
  • Revert (reverts a commit)
  • CI/Build (adds or updates a script, change in external dependencies)

Testing

Unit tests for the signature verification have been added

Checklist

  • My code follows the coding conventions
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added new unit tests

@hamzamahmood
feat(webhook-callbacks): add support for verifying http request signa…
7cde5a1 
…tures

- Adds a ISignatureVerifier contract for custom signature verification
- Adds configurable HMAC signature verification
- Adds test for signature verification
- Adds DigestCodec hex, Base64 and Base64Url support
@hamzamahmood hamzamahmood self-assigned this Sep 8, 2025
@hamzamahmood hamzamahmood added the enhancement New feature or request label Sep 8, 2025
@hamzamahmood
update README.md
91f0ffc
@hamzamahmood
rename resolver to requestSignatureTemplateResolverAsync and add doc …
6703276 
…block for _digestCodec
@hamzamahmood
- add configurable Hmac has algorithm
f01a82a 
- add tests for HmacFactory
- add unit test for ExpectedTemplate and SignatureValue
sufyankhanrao
sufyankhanrao requested changes Sep 23, 2025
View reviewed changes
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sufyankhanrao sufyankhanrao marked this pull request as ready for review October 1, 2025 06:56
sufyankhanrao
sufyankhanrao approved these changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@sufyankhanrao sufyankhanrao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hamzamahmood hamzamahmood merged commit e491c53 into main Oct 1, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sufyankhanrao sufyankhanrao sufyankhanrao approved these changes

Assignees

@hamzamahmood hamzamahmood

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hamzamahmood @sufyankhanrao