You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue [Security] Add authentication and signature verification to Stellar webhook endpoint
Tier: 🔴 Hard
Description:
Problem: The Stellar webhook endpoint at POST /api/webhooks/stellar (defined in src/modules/webhooks/iot.routes.ts lines 21-25) has no authentication middleware — neither requireAuth nor requireApiKey. The StellarWebhookHeadersSchema in src/modules/webhooks/stellar.webhook.validation.ts defines x-stellar-signature as optional and the signature is never verified. This means any external actor can send forged webhook payloads to mark payments as RELEASED, ESCROWED, or FAILED, directly manipulating financial records without authorization.
Implementation:
Make x-stellar-signature required in StellarWebhookHeadersSchema.
Add a verifyStellarSignature middleware that validates the HMAC/signature of the request body against a shared secret (stored in environment variables, e.g., STELLAR_WEBHOOK_SECRET).
Add the STELLAR_WEBHOOK_SECRET to src/env.ts validation schema.
Apply the verification middleware to the Stellar webhook route.
Reject requests with missing or invalid signatures with 401.
Dependencies:
Depends on None
Acceptance Criteria:
x-stellar-signature header is required on all Stellar webhook requests.
Request body signature is verified against STELLAR_WEBHOOK_SECRET using HMAC-SHA256.
Requests with missing or invalid signatures receive 401 Unauthorized.
Valid signed requests are processed normally.
STELLAR_WEBHOOK_SECRET is added to env.ts Zod schema.
Proper HTTP status codes and our standard JSON response wrapper are used.
Edge cases (e.g., missing data, unauthorized roles) are handled gracefully.
Testing Requirements:
Add test: request without x-stellar-signature returns 401.
Add test: request with invalid signature returns 401.
Add test: request with valid signature processes correctly.
Unit tests written for the core logic (target 80%+ coverage).
External API calls or database connections are mocked in unit tests.
Postman collection or Swagger spec updated (if this adds/modifies an endpoint).
PR Checklist:
Branch is named conventionally (e.g., security/issue-46-stellar-webhook-auth).
npm run lint and npm run build pass with zero warnings.
Screenshot of passing Jest terminal logs is attached to the PR.
Domain: Webhooks
Issue [Security] Add authentication and signature verification to Stellar webhook endpoint
Tier: 🔴 Hard
Description:
POST /api/webhooks/stellar(defined insrc/modules/webhooks/iot.routes.tslines 21-25) has no authentication middleware — neitherrequireAuthnorrequireApiKey. TheStellarWebhookHeadersSchemainsrc/modules/webhooks/stellar.webhook.validation.tsdefinesx-stellar-signatureas optional and the signature is never verified. This means any external actor can send forged webhook payloads to mark payments asRELEASED,ESCROWED, orFAILED, directly manipulating financial records without authorization.x-stellar-signaturerequired inStellarWebhookHeadersSchema.verifyStellarSignaturemiddleware that validates the HMAC/signature of the request body against a shared secret (stored in environment variables, e.g.,STELLAR_WEBHOOK_SECRET).STELLAR_WEBHOOK_SECRETtosrc/env.tsvalidation schema.Dependencies:
Acceptance Criteria:
x-stellar-signatureheader is required on all Stellar webhook requests.STELLAR_WEBHOOK_SECRETusing HMAC-SHA256.STELLAR_WEBHOOK_SECRETis added toenv.tsZod schema.Testing Requirements:
x-stellar-signaturereturns 401.PR Checklist:
security/issue-46-stellar-webhook-auth).npm run lintandnpm run buildpass with zero warnings.