yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: add HMAC signature verification to webhook ingest

Browse Source 
Webhook ingest endpoint was completely unauthenticated. Add an optional
`secret` field to BoardWebhook. When configured, inbound requests must
include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or
X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety.
Includes migration to add the secret column.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 13:33:28 -07:00
committed by Abhimanyu Saharan
parent 10848b98cb
commit 4d1dbb4098
4 changed files with 87 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
backend/app/schemas/board_webhooks.py
View File

@@ -18,6 +18,7 @@ class BoardWebhookCreate(SQLModel):
description: NonEmptyStr
enabled: bool = True
agent_id: UUID | None = None
secret: str | None = None
class BoardWebhookUpdate(SQLModel):
@@ -26,6 +27,7 @@ class BoardWebhookUpdate(SQLModel):
description: NonEmptyStr | None = None
enabled: bool | None = None
agent_id: UUID | None = None
secret: str | None = None
class BoardWebhookRead(SQLModel):
@@ -36,6 +38,7 @@ class BoardWebhookRead(SQLModel):
agent_id: UUID | None = None
description: str
enabled: bool
has_secret: bool = False
endpoint_path: str
endpoint_url: str | None = None
created_at: datetime