Description
Webhook signature verification in src/webhookDelivery.ts needs adversarial coverage. Add property-based tests that fuzz signatures, headers, and bodies to ensure no malformed input bypasses verification or throws unhandled errors.
Requirements and context
- Use generated inputs (random bytes, truncated signatures, wrong-length HMACs, mismatched encodings) to assert rejection.
- Confirm constant-time comparison behavior and that errors route through
safeErrors.ts.
- Acceptance: fuzz suite runs deterministically with a fixed seed; zero accepted forgeries; branch coverage on verify path >= 95%.
Suggested execution
- Fork the repo and create a branch:
git checkout -b test/hmac-property-tests
- Implement changes:
src/webhookDelivery.ts- Tests:
src/webhookDelivery.test.ts
- Docs:
docs/webhook-signature-verification.md
- Include TSDoc/NatSpec-style doc comments
- Validate security assumptions (input validation, auth, signature verification, secret redaction, idempotency)
Test and commit
- Run tests:
npm test (coverage: npm run test:ci)
- Cover edge cases
- Include test output and security notes in the PR
Example commit message
test(webhooks): add property-based HMAC verification tests
Guidelines
- Minimum 95% line coverage on new/changed code
- No secrets in repo; use
.env + deployment secrets only
- Clear documentation
- Timeframe: 96 hours from assignment
Description
Webhook signature verification in
src/webhookDelivery.tsneeds adversarial coverage. Add property-based tests that fuzz signatures, headers, and bodies to ensure no malformed input bypasses verification or throws unhandled errors.Requirements and context
safeErrors.ts.Suggested execution
git checkout -b test/hmac-property-testssrc/webhookDelivery.tssrc/webhookDelivery.test.tsdocs/webhook-signature-verification.mdTest and commit
npm test(coverage:npm run test:ci)Example commit message
Guidelines
.env+ deployment secrets only