fix: db webhook signature check working properly hopefully

Torwent · Torwent · commit 8e6a975be827 · 2026-03-05T15:30:44.000+01:00
diff --git a/src/lib/utils.ts b/src/lib/utils.ts
@@ -175,10 +175,7 @@ export const scriptStages: Record<TScriptStages, NameValueIcon> = {
 	archived: { name: "Archived", value: "archived", icon: "💀" }
 }
 
-export function hexToBytes(hex: string) {
-	const bytes = new Uint8Array(hex.length / 2)
-	for (let i = 0; i < bytes.length; i++) {
-		bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16)
-	}
-	return bytes as Uint8Array<ArrayBuffer>
+export function base64ToBytes(base64: string) {
+	const binString = atob(base64)
+	return Uint8Array.from(binString, (m) => m.codePointAt(0)!)
 }
diff --git a/src/routes/api/supabase/scripts/simba/+server.ts b/src/routes/api/supabase/scripts/simba/+server.ts
@@ -1,12 +1,11 @@
 import { error, json } from "@sveltejs/kit"
 import { SUPABASE_WEBHOOK_SECRET } from "$env/static/private"
-import { hexToBytes } from "$lib/utils"
+import { base64ToBytes } from "$lib/utils"
 import { getSimbaVersions, resetSimbaVersions } from "$lib/server/versions.server"
 
 export const POST = async ({ request }) => {
 	const signature = request.headers.get("x-supabase-signature")
-	const body = await request.text()
-
+	const bodyPromise = request.text()
 	if (!signature) error(401, "Webhook signature is missing")
 
 	const encoder = new TextEncoder()
@@ -18,9 +17,13 @@ export const POST = async ({ request }) => {
 		["verify"]
 	)
 
-	const isValid = await crypto.subtle.verify("HMAC", key, hexToBytes(signature), encoder.encode(body))
+	const body = await bodyPromise
+	const isValid = await crypto.subtle.verify("HMAC", key, base64ToBytes(signature), encoder.encode(body))
 
-	if (!isValid) error(403, "Webhook signature is not valid")
+	if (!isValid) {
+		console.log("Signature is invalid!\n", "Signature: ", signature, "\nBody: ", body)
+		error(403, "Webhook signature is not valid")
+	}
 
 	const old = await resetSimbaVersions()
 	if (old.length > 0) error(500, "Failed to reset old versions.")
diff --git a/src/routes/api/supabase/scripts/versions/+server.ts b/src/routes/api/supabase/scripts/versions/+server.ts
@@ -1,16 +1,13 @@
 import { error, json } from "@sveltejs/kit"
 import { SUPABASE_WEBHOOK_SECRET } from "$env/static/private"
-import { hexToBytes } from "$lib/utils"
 import { getScriptVersion, resetScriptVersions } from "$lib/server/versions.server"
+import { base64ToBytes } from "$lib/utils"
 
 export const POST = async ({ request }) => {
 	const signature = request.headers.get("x-supabase-signature")
-	const body = await request.text()
-
+	const bodyPromise = request.text()
 	if (!signature) error(401, "Webhook signature is missing")
 
-	console.log("Signature: ", signature)
-
 	const encoder = new TextEncoder()
 	const key = await crypto.subtle.importKey(
 		"raw",
@@ -20,9 +17,13 @@ export const POST = async ({ request }) => {
 		["verify"]
 	)
 
-	const isValid = await crypto.subtle.verify("HMAC", key, hexToBytes(signature), encoder.encode(body))
+	const body = await bodyPromise
+	const isValid = await crypto.subtle.verify("HMAC", key, base64ToBytes(signature), encoder.encode(body))
 
-	if (!isValid) error(403, "Webhook signature is not valid")
+	if (!isValid) {
+		console.log("Signature is invalid!\n", "Signature: ", signature, "\nBody: ", body)
+		error(403, "Webhook signature is not valid")
+	}
 
 	const payload = JSON.parse(body)
 
diff --git a/src/routes/api/supabase/scripts/wasplib/+server.ts b/src/routes/api/supabase/scripts/wasplib/+server.ts
@@ -1,12 +1,11 @@
 import { error, json } from "@sveltejs/kit"
 import { SUPABASE_WEBHOOK_SECRET } from "$env/static/private"
-import { hexToBytes } from "$lib/utils"
+import { base64ToBytes } from "$lib/utils"
 import { getWaspLibVersions, resetWaspLibVersions } from "$lib/server/versions.server"
 
 export const POST = async ({ request }) => {
 	const signature = request.headers.get("x-supabase-signature")
-	const body = await request.text()
-
+	const bodyPromise = request.text()
 	if (!signature) error(401, "Webhook signature is missing")
 
 	const encoder = new TextEncoder()
@@ -18,9 +17,13 @@ export const POST = async ({ request }) => {
 		["verify"]
 	)
 
-	const isValid = await crypto.subtle.verify("HMAC", key, hexToBytes(signature), encoder.encode(body))
+	const body = await bodyPromise
+	const isValid = await crypto.subtle.verify("HMAC", key, base64ToBytes(signature), encoder.encode(body))
 
-	if (!isValid) error(403, "Webhook signature is not valid")
+	if (!isValid) {
+		console.log("Signature is invalid!\n", "Signature: ", signature, "\nBody: ", body)
+		error(403, "Webhook signature is not valid")
+	}
 
 	const old = await resetWaspLibVersions()
 	if (old.length > 0) error(500, "Failed to reset old versions.")

Original file line number	Diff line number	Diff line change
`@@ -175,10 +175,7 @@ export const scriptStages: Record<TScriptStages, NameValueIcon> = {`
`175`	`175`	`archived: { name: "Archived", value: "archived", icon: "💀" }`
`176`	`176`	`}`
`177`	`177`
`178`		`-export function hexToBytes(hex: string) {`
`179`		`- const bytes = new Uint8Array(hex.length / 2)`
`180`		`- for (let i = 0; i < bytes.length; i++) {`
`181`		`- bytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16)`
`182`		`- }`
`183`		`- return bytes as Uint8Array<ArrayBuffer>`
	`178`	`+export function base64ToBytes(base64: string) {`
	`179`	`+ const binString = atob(base64)`
	`180`	`+ return Uint8Array.from(binString, (m) => m.codePointAt(0)!)`
`184`	`181`	`}`