feat: add webhook signature verification and fix security issues

Security Improvements: - Add HMAC-SHA256 signature verification for MailGun webhooks - Remove hardcoded signing key fallback, require env variable - Add proper payload structure validation before processing API Changes: - New types: MailgunWebhookPayload, MailgunWebhookPayloadSignature - New type guard: isMailgunWebhookPayload() - Returns 401 for invalid signatures, 400 for malformed payloads Configuration: - Add MAILGUN_WEBHOOK_SIGNING_KEY to both docker-compose files - Service fails fast on startup if signing key not configured 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-07 22:13:09 +01:00
parent 0faac8e392
commit 3d02654510
4 changed files with 71 additions and 2 deletions
--- a/docker-stack/docker-compose-standalone.yaml
+++ b/docker-stack/docker-compose-standalone.yaml
@@ -88,6 +88,7 @@ services:
      PROMETHEUS_APP_LABEL: mailgun-webhook-service
      PROMETHEUS_HISTOGRAM_BUCKETS: 0.1,0.5,1,5,10
      DEBUG: server:*,app:*
+      MAILGUN_WEBHOOK_SIGNING_KEY: ${MAILGUN_WEBHOOK_SIGNING_KEY}
    container_name: evidencija-rezija__mailgun-webhook
    restart: unless-stopped
    labels:
--- a/docker-stack/docker-compose-swarm.yml
+++ b/docker-stack/docker-compose-swarm.yml
@@ -88,6 +88,7 @@ services:
      PROMETHEUS_APP_LABEL: mailgun-webhook-service
      PROMETHEUS_HISTOGRAM_BUCKETS: 0.1,0.5,1,5,10
      DEBUG: server:*,app:*
+      MAILGUN_WEBHOOK_SIGNING_KEY: ${MAILGUN_WEBHOOK_SIGNING_KEY}
    deploy:
      restart_policy:
        condition: any
--- a/mailgun-webhook/src/routes/webhookRouter.ts
+++ b/mailgun-webhook/src/routes/webhookRouter.ts
@@ -9,9 +9,31 @@
 import { Router, Request, Response, NextFunction } from 'express';
 import createError from 'http-errors';
 import { AppLocals } from '../types/AppLocals';
-import { isValidMailgunEvent, MailgunWebhookEvent } from '../types/MailgunWebhookEvent';
+import { isMailgunWebhookPayload, isValidMailgunEvent, MailgunWebhookEvent, MailgunWebhookPayloadSignature } from '../types/MailgunWebhookEvent';
 import { successfulRequestCounter } from '../lib/metricsCounters';
 import { logInfo, logError, logWarn } from '../lib/logger';
+import crypto from 'crypto';
+
+const WEBHOOK_SIGNING_KEY = process.env.MAILGUN_WEBHOOK_SIGNING_KEY;
+
+if (!WEBHOOK_SIGNING_KEY) {
+  logError('Configuration Error', 'MAILGUN_WEBHOOK_SIGNING_KEY environment variable is not set');
+  throw new Error('MAILGUN_WEBHOOK_SIGNING_KEY environment variable is required');
+}
+
+/**
+ * Verifies the MailGun webhook signature
+ * @param param0 - Object containing signingKey, timestamp, token, and signature
+ * @returns boolean indicating if the signature is valid
+ */
+const verifySignature = ({ timestamp, token, signature }: MailgunWebhookPayloadSignature) => {
+    const encodedToken = crypto
+        .createHmac('sha256', WEBHOOK_SIGNING_KEY)
+        .update(timestamp.concat(token))
+        .digest('hex')
+
+    return (encodedToken === signature)
+}

 /**
 * Formats a Unix timestamp into a human-readable date string
@@ -117,7 +139,16 @@ const logWebhookEvent = (eventData: MailgunWebhookEvent): void => {
 */
 export const webhookRequestHandler = async (req: Request, res: Response, next: NextFunction) => {
  try {
-    const eventData = req.body as any;
+
+    const payload = req.body as any;
+
+    if(!isMailgunWebhookPayload(payload)) {
+      logWarn('Invalid webhook payload structure', JSON.stringify(payload));
+      next(createError(400, 'Invalid request format: payload structure is incorrect'));
+      return;
+    }
+
+    const { signature, "event-data": eventData } = payload;

    // Validate that we have the minimum required fields
    if (!isValidMailgunEvent(eventData)) {
@@ -126,6 +157,19 @@ export const webhookRequestHandler = async (req: Request, res: Response, next: N
      return;
    }

+    // Verify webhook signature
+    const isValidSignature = verifySignature({
+      timestamp: signature.timestamp,
+      token: signature.token,
+      signature: signature.signature
+    });
+
+    if(!isValidSignature) {
+      logWarn('Invalid webhook signature', JSON.stringify(signature));
+      next(createError(401, 'Unauthorized: invalid webhook signature'));
+      return;
+    }
+
    // Log the webhook event to console
    logWebhookEvent(eventData as MailgunWebhookEvent);

--- a/mailgun-webhook/src/types/MailgunWebhookEvent.ts
+++ b/mailgun-webhook/src/types/MailgunWebhookEvent.ts
@@ -14,6 +14,17 @@ export type MailgunEventType =
  | 'complained'
  | 'unsubscribed';

+export interface MailgunWebhookPayload {
+  signature: MailgunWebhookPayloadSignature;
+  "event-data": MailgunWebhookEvent;
+} 
+
+export interface MailgunWebhookPayloadSignature {
+  token: string;
+  timestamp: string;
+  signature: string;
+}
+
 /**
 * Base interface for all MailGun webhook events
 * Contains fields common to all event types
@@ -163,3 +174,15 @@ export function isValidMailgunEvent(data: any): data is MailgunWebhookEventBase
    typeof data.recipient === 'string'
  );
 }
+
+/**
+ * Type guard to check if data is a MailgunWebhookPayload
+ */
+export function isMailgunWebhookPayload(data: any): data is MailgunWebhookPayload {
+  return (
+    data &&
+    typeof data === 'object' &&
+    typeof data.signature === 'object' &&
+    typeof data['event-data'] === 'object'
+  );
+}