Use hashed webhook secrets for constant-time comparison (closes #13) #15

Merged

sneak merged 2 commits from :fix/issue-13 into main

2026-02-16 05:55:46 +01:00

Author	SHA1	Message	Date
Jeffrey Paul	57ea724419	Merge branch 'main' into fix/issue-13	2026-02-16 05:55:17 +01:00
clawbot	72786a9feb	fix: use hashed webhook secrets for constant-time comparison Store a SHA-256 hash of the webhook secret in a new webhook_secret_hash column. FindAppByWebhookSecret now hashes the incoming secret and queries by hash, eliminating the SQL string comparison timing side-channel. - Add migration 005_add_webhook_secret_hash.sql - Add database.HashWebhookSecret() helper - Backfill existing secrets on startup - Update App model to include WebhookSecretHash in all queries - Update app creation to compute hash at insert time - Add TestHashWebhookSecret unit test - Update all test fixtures to set WebhookSecretHash Closes #13	2026-02-15 14:06:53 -08:00

Author

SHA1

Message

Date

Jeffrey Paul

57ea724419

Merge branch 'main' into fix/issue-13

2026-02-16 05:55:17 +01:00

clawbot

72786a9feb

fix: use hashed webhook secrets for constant-time comparison

Store a SHA-256 hash of the webhook secret in a new webhook_secret_hash
column. FindAppByWebhookSecret now hashes the incoming secret and queries
by hash, eliminating the SQL string comparison timing side-channel.

- Add migration 005_add_webhook_secret_hash.sql
- Add database.HashWebhookSecret() helper
- Backfill existing secrets on startup
- Update App model to include WebhookSecretHash in all queries
- Update app creation to compute hash at insert time
- Add TestHashWebhookSecret unit test
- Update all test fixtures to set WebhookSecretHash

Closes #13

2026-02-15 14:06:53 -08:00

Use hashed webhook secrets for constant-time comparison (closes #13) #15

2 Commits