Skip to content

Add verify_webhook_signature helper for webhook authenticity#87

Open
roznawsk wants to merge 1 commit into
mainfrom
webhook-signature-verification
Open

Add verify_webhook_signature helper for webhook authenticity#87
roznawsk wants to merge 1 commit into
mainfrom
webhook-signature-verification

Conversation

@roznawsk

Copy link
Copy Markdown
Member

Description

Adds verify_webhook_signature(body, signature, secret) to fishjam: verifies the x-fishjam-signature-256 header (GitHub-style sha256=<hex> HMAC-SHA256 of the raw body, prefix optional) using hmac.compare_digest for constant-time comparison. Exported next to decode_server_notifications; call it on the raw request body before decoding.

Motivation and Context

Fishjam now signs webhook notifications. Without an SDK helper, users hand-roll verification with ==, which is timing-attackable. Same helper already added to the JS server SDK.

Documentation impact

  • Documentation update required
  • Documentation updated in another PR
  • No documentation update required

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to
    not work as expected)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a public helper to verify Fishjam webhook authenticity by validating the x-fishjam-signature-256 HMAC-SHA256 signature against the raw request body, complementing the existing webhook decoding utilities in fishjam.

Changes:

  • Added verify_webhook_signature(body, signature, secret) using hmac.compare_digest for constant-time comparison.
  • Exported the helper from fishjam.__init__ alongside existing webhook helpers.
  • Added unit tests covering valid signatures (with/without sha256= prefix) and common failure cases.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
fishjam/_webhook_notifier.py Implements verify_webhook_signature for validating signed webhook bodies.
fishjam/__init__.py Re-exports verify_webhook_signature as part of the public SDK API.
tests/test_webhook_notifier.py Adds test coverage for signature verification success/failure scenarios.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@roznawsk roznawsk requested review from czerwiukk and removed request for czerwiukk July 14, 2026 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants