Description
src/lib/webhookSignature.ts and src/middleware/webhookAuth.ts verify the WEBHOOK_SIGNATURE_HEADER/WEBHOOK_TIMESTAMP_HEADER, but tests should prove the timestamp tolerance rejects stale or future-dated requests and that signature comparison is constant-time. Expand coverage on the clock-skew and replay-protection logic.
Requirements and context
- Must be secure, tested, and documented
- Should be efficient and easy to review
- Relevant code:
src/lib/webhookSignature.ts, src/middleware/webhookAuth.ts, src/middleware/webhookAuth.test.ts
- Stale timestamps outside the tolerance window must be rejected as unauthorized
Suggested execution
- Fork the repo and create a branch
git checkout -b test/webhook-clock-skew- Implement changes
- Add tests for timestamps just inside/outside the allowed skew
- Assert tampered signatures are rejected and comparison is constant-time
- Assert missing headers return 401
- Validate security and correctness assumptions
Test and commit
- Run tests
- Cover edge cases
- Future-dated timestamp, replayed payload, wrong secret, malformed signature header
- Include test output and notes
Example commit message
test: cover webhook signature clock skew and replay
Guidelines
- Minimum 95 percent test coverage
- Clear documentation
- Timeframe: 96 hours
Description
src/lib/webhookSignature.tsandsrc/middleware/webhookAuth.tsverify theWEBHOOK_SIGNATURE_HEADER/WEBHOOK_TIMESTAMP_HEADER, but tests should prove the timestamp tolerance rejects stale or future-dated requests and that signature comparison is constant-time. Expand coverage on the clock-skew and replay-protection logic.Requirements and context
src/lib/webhookSignature.ts,src/middleware/webhookAuth.ts,src/middleware/webhookAuth.test.tsSuggested execution
git checkout -b test/webhook-clock-skewTest and commit
npm testExample commit message
test: cover webhook signature clock skew and replayGuidelines