Enforce HMAC signature verification on inbound webhook routes in `webhook.routes.ts`

[greatest0fallt1me]

Description

src/webhooks/webhook.signature.ts provides signing utilities, but inbound webhook routes must verify signatures and reject replays. This backend task adds signature-verification middleware to src/webhooks/webhook.routes.ts, including timestamp tolerance and a timing-safe comparison to prevent forged callbacks.

Requirements and Context

• Verify the HMAC signature header against the raw request body.
• Reject requests outside a configurable timestamp tolerance window (replay protection).
• Use timing-safe comparison and return 401 on mismatch.
• Must be secure, tested, and documented
• Should be efficient and easy to review

Suggested Execution

1. Fork the repo and create a branch

   git checkout -b feature/webhook-signature-verification

2. Implement changes
   • src/webhooks/webhook.routes.ts — add verify middleware
   • src/webhooks/webhook.signature.ts — add verify helper
   • Preserve raw body for verification
3. Test and commit
   • npm test -- src/webhooks/webhook.signature.test.ts src/webhooks/webhook.auth.test.ts
   • Cover edge cases
   • Include test output and notes in the PR

Example commit message

feat: verify HMAC signatures on inbound webhooks

Acceptance Criteria

• Invalid or missing signatures are rejected with 401
• Stale timestamps outside tolerance are rejected
• Comparison is timing-safe

Guidelines

• Minimum 90% test coverage with Jest
• Clear documentation and inline comments
• Timeframe: 96 hours

[centboy123]

@centboy123 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I would like to work on this issue because securing inbound webhooks is a vital defensive layer for any production backend application. Enforcing Hash-based Message Authentication Code (HMAC) signature verification ensures that incoming payloads are authentic, originate from the trusted third party provider, and have not been tampered with mid transit

Relevant experience

Backend Security Strong experience handling authentication, data encryption, and implementing cryptographic utilities in backend frameworks.

Defensive Coding Well versed in input validation, header verification, and handling raw payload streams for accurate hash generation.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @centboy123 to this issue.

[drips-wave]

Congratulations, @centboy123! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @centboy123: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊