Skip to content

security: add X-StellarStream-Signature HMAC-SHA256 header to webhooks#187

Merged
ritik4ever merged 2 commits into
ritik4ever:mainfrom
Dafuriousis:security/webhook-hmac-signature
Apr 28, 2026
Merged

security: add X-StellarStream-Signature HMAC-SHA256 header to webhooks#187
ritik4ever merged 2 commits into
ritik4ever:mainfrom
Dafuriousis:security/webhook-hmac-signature

Conversation

@Dafuriousis
Copy link
Copy Markdown
Contributor

@Dafuriousis Dafuriousis commented Apr 25, 2026

closes #157

Wave 4 – Security hardening

What changed

  • webhook.ts: export computeSignature(secret, body) helper that computes sha256= via HMAC-SHA256 (crypto.createHmac)
  • webhookWorker.ts: replace inline createHmac call with computeSignature; rename header X-Webhook-Signature → X-StellarStream-Signature
  • webhook.test.ts: add two unit tests for computeSignature • cross-validates against a manual createHmac call • asserts a known fixed digest (hello / secret)
  • README.md: update webhook signing section – correct header name, add full Node.js verification example using timingSafeEqual

Why

Webhook consumers had no way to verify that a delivery originated from StellarStream. The HMAC-SHA256 signature lets receivers authenticate payloads before processing them, preventing spoofed or replayed events.

Verification

All 6 webhook tests pass (npm test -- run src/services/webhook.test.ts).

@Dafuriousis
security: add X-StellarStream-Signature HMAC-SHA256 header to webhooks
6eedd4f 
Wave 4 – Security hardening

## What changed

- webhook.ts: export computeSignature(secret, body) helper that computes
  sha256=<hex> via HMAC-SHA256 (crypto.createHmac)
- webhookWorker.ts: replace inline createHmac call with computeSignature;
  rename header X-Webhook-Signature → X-StellarStream-Signature
- webhook.test.ts: add two unit tests for computeSignature
    • cross-validates against a manual createHmac call
    • asserts a known fixed digest (hello / secret)
- README.md: update webhook signing section – correct header name,
  add full Node.js verification example using timingSafeEqual

## Why

Webhook consumers had no way to verify that a delivery originated from
StellarStream. The HMAC-SHA256 signature lets receivers authenticate
payloads before processing them, preventing spoofed or replayed events.

## Verification

All 6 webhook tests pass (npm test -- run src/services/webhook.test.ts).
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 25, 2026

@Dafuriousis is attempting to deploy a commit to the ritik4ever's projects Team on Vercel.

A member of the Team first needs to authorize it.

@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Apr 25, 2026

@Dafuriousis Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 28, 2026

Warning

Rate limit exceeded

@ritik4ever has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 56 minutes and 9 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4a1ba42d-15a6-4575-9fbf-5dfc1b0f0c33

📥 Commits

Reviewing files that changed from the base of the PR and between 143c7db and 81c0fad.

📒 Files selected for processing (4)
  • README.md
  • backend/src/services/webhook.test.ts
  • backend/src/services/webhook.ts
  • backend/src/services/webhookWorker.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ritik4ever ritik4ever merged commit ac572d0 into ritik4ever:main Apr 28, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[wave4][backend] Add HMAC-SHA256 signature to webhook payloads

2 participants

@Dafuriousis @ritik4ever