Page MenuHomePhabricator
Differential D13756

[keyserver] verify webhook event with webhook secret
ClosedPublic
Actions

Authored by will on Oct 20 2024, 10:03 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 23, 4:35 AM
Unknown Object (File)
Wed, Nov 20, 12:47 PM
Unknown Object (File)
Wed, Nov 20, 8:29 AM
Unknown Object (File)
Wed, Nov 20, 8:29 AM
Unknown Object (File)
Fri, Nov 15, 5:12 PM
Unknown Object (File)
Mon, Nov 11, 7:11 PM
Unknown Object (File)
Sun, Nov 10, 1:53 PM
Unknown Object (File)
Sun, Nov 10, 5:43 AM
View All 32 Files
Subscribers
tomek

Details

Reviewers
ashoat
varun
Commits
rCOMM7166879e117a: [keyserver] verify webhook event with webhook secret
Summary

This verifies the webhook event with X-Neynar-Signature and the webhook secret to verify it's coming from Neynar.

Depends on D13755

Test Plan

Tested by triggering a webhook event on warpcast and verifying that isValid was true.
Verified that a webhook event with a differing body resulted in isValid evaluating as false

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

will created this revision.Oct 20 2024, 10:03 PM
Herald added a subscriber: tomek. · View Herald TranscriptOct 20 2024, 10:03 PM
Harbormaster completed remote builds in B32312: Diff 45286.Oct 20 2024, 10:22 PM
will requested review of this revision.Oct 20 2024, 10:22 PM
ashoat accepted this revision.Oct 21 2024, 8:57 AM
ashoat added inline comments.
keyserver/src/responders/farcaster-webhook-responders.js
16 ↗(On Diff #45286)

Nit

20 ↗(On Diff #45286)

How about signature, to match naming below

34 ↗(On Diff #45286)

Nit: don't know if we need the isValid variable... I would just inline the check on line 35

You could probably even inline signature === hmac.digest('hex') directly, to be honest

This revision is now accepted and ready to land.Oct 21 2024, 8:57 AM
will added a child revision: D13762: [lib] implement fetchFarcasterCastByHash for neynar client.Oct 21 2024, 1:40 PM
will updated this revision to Diff 45412.Mon, Oct 28, 1:51 PM

feedback

will marked 3 inline comments as done.Mon, Oct 28, 1:52 PM
Harbormaster completed remote builds in B32390: Diff 45412.Mon, Oct 28, 2:08 PM
will mentioned this in D13775: [keyserver] add community creation logic to farcaster webhook responder.Tue, Oct 29, 4:50 PM
will added inline comments.Wed, Oct 30, 1:34 PM
keyserver/src/responders/farcaster-webhook-responders.js
16 ↗(On Diff #45286)

Addressed in latest rebase

20 ↗(On Diff #45286)

Changed to signature

34 ↗(On Diff #45286)

I inlined it in the function but also introduced a isValidSignature

will updated this revision to Diff 45489.Wed, Oct 30, 1:40 PM

rebase

Harbormaster completed remote builds in B32456: Diff 45489.Wed, Oct 30, 2:27 PM
Closed by commit rCOMM7166879e117a: [keyserver] verify webhook event with webhook secret (authored by will). · Explain WhyThu, Oct 31, 12:18 PM
This revision was automatically updated to reflect the committed changes.
will added a commit: rCOMM7166879e117a: [keyserver] verify webhook event with webhook secret.

Revision Contents
Changeset List

PathSize
keyserver/
src/
responders/
39 lines

Diff 45412

View Options

keyserver/src/responders/farcaster-webhook-responders.js

Loading...