fix(webhooks): harden github webhook signature verification

[riddhimagupta2]

Summary

Improves GitHub webhook security by hardening signature verification and adding replay attack protection.

Closes #1610

---

Type of Change

• Security Fix
• Bug Fix
• New Feature
• Documentation Update

---

Changes Made

• Replaced local webhook signature verification with the centralized implementation from src/lib/crypto.ts
• Ensured constant-time signature comparison using Node.js crypto.timingSafeEqual()
• Reused the shared verifyGitHubSignature() utility to avoid duplicate security logic
• Added replay attack protection using the X-GitHub-Delivery header
• Added validation to reject duplicate webhook deliveries within a defined time window
• Improved maintainability by centralizing webhook verification behavior

---

Security Improvements

• Prevents timing attacks during HMAC signature verification
• Enforces constant-time comparison for webhook signatures
• Rejects replayed webhook requests
• Reduces risk of unauthorized webhook execution and cache invalidation

---

How to Test

1. Start the application locally
2. Send a webhook request with a valid GitHub signature
3. Verify the request is accepted
4. Send the same webhook again with the same delivery ID
5. Verify the request is rejected as a replay
6. Send a webhook with an invalid signature
7. Verify a 401 Unauthorized response is returned

---

Checklist

• Linked issue in summary
• Self-reviewed the changes
• Security-related logic verified
• No unnecessary files modified
• Existing webhook functionality preserved

[vercel]

@riddhimagupta2 is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[github-actions]

🎉 Merged! Thanks for contributing to DevTrack.

If the project has been useful to you, a ⭐ star on the repo is the easiest way to support it — it helps DevTrack get discovered by more developers.

Keep an eye on open issues for your next contribution!