docs: add webhook signature validation how-to#594
Conversation
Task-first how-to covering the uselesskey-webhook surface: how to generate a deterministic provider-style webhook fixture (GitHub/Stripe/Slack), how to verify it in a downstream consumer, and how to drive the three near-miss negatives (stale timestamp, wrong secret, tampered payload). Part of the Phase 4 task-first user-paths sweep.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6ad9ad5a31
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| let expected = hex::encode(mac.finalize().into_bytes()); | ||
| v1 == Some(expected.as_str()) |
There was a problem hiding this comment.
Use a constant-time signature comparison
This verifier is presented as recomputing the HMAC and comparing it “in constant time,” but the sample uses ordinary string equality, which can short-circuit based on matching prefixes. Because this guide is for webhook verification code that users may copy into consumers, the example should use a constant-time equality primitive such as subtle::ConstantTimeEq or hmac::Mac::verify_slice after decoding the header digest.
Useful? React with 👍 / 👎.
Summary
Pure docs PR. Task-first how-to for webhook signature validation. Part of the Phase 4 task-first user-paths sweep.
docs/how-to/test-webhook-signature-validation.mdwalking through theuselesskey-webhooksurface: generating a deterministic provider-style fixture (fx.webhook_stripe,fx.webhook_github,fx.webhook_slack), verifying it in a downstream consumer with the per-provider base string, and driving the three near-miss negatives (StaleTimestamp,WrongSecret,TamperedPayload).crates/uselesskey-webhook/src/lib.rs—WebhookFactoryExt,WebhookFixture { secret, payload, headers, timestamp, signature_input }, and thenear_miss_*constructors. No new APIs are invented.Files added
docs/how-to/test-webhook-signature-validation.mdTest plan
cargo xtask docs-sync --checkcargo xtask typosgit diff --check