sneak/upaas
1
0
Fork 0
Code Issues 9 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

fix: use hashed webhook secrets for constant-time comparison

Browse Source 
Store a SHA-256 hash of the webhook secret in a new webhook_secret_hash
column. FindAppByWebhookSecret now hashes the incoming secret and queries
by hash, eliminating the SQL string comparison timing side-channel.

- Add migration 005_add_webhook_secret_hash.sql
- Add database.HashWebhookSecret() helper
- Backfill existing secrets on startup
- Update App model to include WebhookSecretHash in all queries
- Update app creation to compute hash at insert time
- Add TestHashWebhookSecret unit test
- Update all test fixtures to set WebhookSecretHash

Closes #13
This commit is contained in:
clawbot
2026-02-15 14:06:53 -08:00
parent d4eae284b5
commit 72786a9feb
7 changed files with 117 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/database/migrations/005_add_webhook_secret_hash.sql Normal file
View File

@@ -0,0 +1,2 @@
-- Add webhook_secret_hash column for constant-time secret lookup
ALTER TABLE apps ADD COLUMN webhook_secret_hash TEXT NOT NULL DEFAULT '';