knee-cola/evidencija-rezija
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add webhook signature verification and fix security issues

Browse Source 
Security Improvements:
- Add HMAC-SHA256 signature verification for MailGun webhooks
- Remove hardcoded signing key fallback, require env variable
- Add proper payload structure validation before processing

API Changes:
- New types: MailgunWebhookPayload, MailgunWebhookPayloadSignature
- New type guard: isMailgunWebhookPayload()
- Returns 401 for invalid signatures, 400 for malformed payloads

Configuration:
- Add MAILGUN_WEBHOOK_SIGNING_KEY to both docker-compose files
- Service fails fast on startup if signing key not configured

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Knee Cola
2026-01-07 22:13:09 +01:00
parent 0faac8e392
commit 3d02654510
4 changed files with 71 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docker-stack/docker-compose-standalone.yaml
View File

@@ -88,6 +88,7 @@ services:
PROMETHEUS_APP_LABEL: mailgun-webhook-service
PROMETHEUS_HISTOGRAM_BUCKETS: 0.1,0.5,1,5,10
DEBUG: server:*,app:*
MAILGUN_WEBHOOK_SIGNING_KEY: ${MAILGUN_WEBHOOK_SIGNING_KEY}
container_name: evidencija-rezija__mailgun-webhook
restart: unless-stopped
labels: