Security: Use timing-safe comparison for webhook signatures

## Description

Currently, the webhook signature validation in `src/app/api/webhook/route.ts` uses a simple string equality check:

```javascript
if (signature !== expectedSignature) {
  return NextResponse.json({ error: "Invalid signature" }, { status: 401 });
}
```

This approach is vulnerable to timing attacks, where attackers can potentially determine the expected signature by measuring response times.

## Recommendation

Replace the string comparison with a timing-safe comparison using `crypto.timingSafeEqual`:

```javascript
const signatureBuffer = Buffer.from(signature || "", "hex");
const expectedSignatureBuffer = Buffer.from(expectedSignature, "hex");
if (
  signatureBuffer.length !== expectedSignatureBuffer.length ||
  !crypto.timingSafeEqual(signatureBuffer, expectedSignatureBuffer)
) {
  return NextResponse.json({ error: "Invalid signature" }, { status: 401 });
}
```

## References
- PR: #29
- [Comment](https://github.com/RequestNetwork/easy-invoice/pull/29#discussion_r1981397160)
- [Node.js crypto.timingSafeEqual documentation](https://nodejs.org/api/crypto.html#cryptotimingsafeequala-b)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: Use timing-safe comparison for webhook signatures #32

Description

Recommendation

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: Use timing-safe comparison for webhook signatures #32

Description

Description

Recommendation

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions