From 3a0c67a6564e4e47370817f09ce24b6dcd125a25 Mon Sep 17 00:00:00 2001
From: Hugh Brown <hughdbrown@yahoo.com>
Date: Tue, 3 Mar 2026 16:45:54 -0700
Subject: [PATCH] Update backend/app/api/board_webhooks.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 backend/app/api/board_webhooks.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/backend/app/api/board_webhooks.py b/backend/app/api/board_webhooks.py
index 79fe7901..1743c24d 100644
--- a/backend/app/api/board_webhooks.py
+++ b/backend/app/api/board_webhooks.py
@@ -186,14 +186,17 @@ def _verify_webhook_signature(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Missing webhook signature header.",
         )
-    if sig_header.startswith("sha256="):
-        sig_header = sig_header[7:]
+    sig_value = sig_header
+    if sig_value.lower().startswith("sha256="):
+        sig_value = sig_value[7:]
+    sig_value = sig_value.strip().lower()
     expected = hmac.new(
         webhook.secret.encode("utf-8"),
         raw_body,
         hashlib.sha256,
     ).hexdigest()
-    if not hmac.compare_digest(sig_header, expected):
+    expected = expected.strip().lower()
+    if not hmac.compare_digest(sig_value, expected):
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Invalid webhook signature.",