Skip to content

security: add X-StellarStream-Signature HMAC-SHA256 header to webhooks#187

Open
Dafuriousis wants to merge 1 commit intoritik4ever:mainfrom
Dafuriousis:security/webhook-hmac-signature
Open

security: add X-StellarStream-Signature HMAC-SHA256 header to webhooks#187
Dafuriousis wants to merge 1 commit intoritik4ever:mainfrom
Dafuriousis:security/webhook-hmac-signature

Conversation

@Dafuriousis
Copy link
Copy Markdown

@Dafuriousis Dafuriousis commented Apr 25, 2026

closes #157

Wave 4 – Security hardening

What changed

  • webhook.ts: export computeSignature(secret, body) helper that computes sha256= via HMAC-SHA256 (crypto.createHmac)
  • webhookWorker.ts: replace inline createHmac call with computeSignature; rename header X-Webhook-Signature → X-StellarStream-Signature
  • webhook.test.ts: add two unit tests for computeSignature • cross-validates against a manual createHmac call • asserts a known fixed digest (hello / secret)
  • README.md: update webhook signing section – correct header name, add full Node.js verification example using timingSafeEqual

Why

Webhook consumers had no way to verify that a delivery originated from StellarStream. The HMAC-SHA256 signature lets receivers authenticate payloads before processing them, preventing spoofed or replayed events.

Verification

All 6 webhook tests pass (npm test -- run src/services/webhook.test.ts).

@Dafuriousis
security: add X-StellarStream-Signature HMAC-SHA256 header to webhooks
6eedd4f 
Wave 4 – Security hardening

## What changed

- webhook.ts: export computeSignature(secret, body) helper that computes
  sha256=<hex> via HMAC-SHA256 (crypto.createHmac)
- webhookWorker.ts: replace inline createHmac call with computeSignature;
  rename header X-Webhook-Signature → X-StellarStream-Signature
- webhook.test.ts: add two unit tests for computeSignature
    • cross-validates against a manual createHmac call
    • asserts a known fixed digest (hello / secret)
- README.md: update webhook signing section – correct header name,
  add full Node.js verification example using timingSafeEqual

## Why

Webhook consumers had no way to verify that a delivery originated from
StellarStream. The HMAC-SHA256 signature lets receivers authenticate
payloads before processing them, preventing spoofed or replayed events.

## Verification

All 6 webhook tests pass (npm test -- run src/services/webhook.test.ts).
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 25, 2026

@Dafuriousis is attempting to deploy a commit to the ritik4ever's projects Team on Vercel.

A member of the Team first needs to authorize it.

@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Apr 25, 2026

@Dafuriousis Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[wave4][backend] Add HMAC-SHA256 signature to webhook payloads

1 participant

@Dafuriousis