Page MenuHomePhabricator

[keyserver] verify webhook event with webhook secret
ClosedPublic

Authored by will on Oct 20 2024, 10:03 PM.
Tags
None
Referenced Files
F3381047: D13756.id.diff
Thu, Nov 28, 3:52 AM
Unknown Object (File)
Mon, Nov 25, 8:31 AM
Unknown Object (File)
Mon, Nov 25, 6:46 AM
Unknown Object (File)
Sat, Nov 23, 4:35 AM
Unknown Object (File)
Wed, Nov 20, 12:47 PM
Unknown Object (File)
Wed, Nov 20, 8:29 AM
Unknown Object (File)
Wed, Nov 20, 8:29 AM
Unknown Object (File)
Fri, Nov 15, 5:12 PM
Subscribers

Details

Summary

This verifies the webhook event with X-Neynar-Signature and the webhook secret to verify it's coming from Neynar.

Depends on D13755

Test Plan

Tested by triggering a webhook event on warpcast and verifying that isValid was true.
Verified that a webhook event with a differing body resulted in isValid evaluating as false

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

will requested review of this revision.Oct 20 2024, 10:22 PM
ashoat added inline comments.
keyserver/src/responders/farcaster-webhook-responders.js
16

Nit

20

How about signature, to match naming below

34

Nit: don't know if we need the isValid variable... I would just inline the check on line 35

You could probably even inline signature === hmac.digest('hex') directly, to be honest

This revision is now accepted and ready to land.Oct 21 2024, 8:57 AM
will marked 3 inline comments as done.Oct 28 2024, 1:52 PM
keyserver/src/responders/farcaster-webhook-responders.js
16

Addressed in latest rebase

20

Changed to signature

34

I inlined it in the function but also introduced a isValidSignature