Skip to content

MT-22022: Add webhook signature verification helper #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Rabsztok merged 4 commits into from
May 27, 2026
Merged

MT-22022: Add webhook signature verification helper #130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
eaab34a
MT-22022: Add webhook signature verification helper
Rabsztok May 20, 2026
0296f76
MT-22022: Simplify example to happy-path verification only
Rabsztok May 21, 2026
8e6b72d
Rewrite example
Rabsztok May 26, 2026
8ac33aa
Import from "mailtrap" in example file
Rabsztok May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,7 @@ Email API:
- Sending stats (aggregated and by domain, category, ESP, date) – [`stats/everything.ts`](examples/stats/everything.ts)
- Email logs (list with filters, get by message ID) – [`email-logs/everything.ts`](examples/email-logs/everything.ts)
- Webhooks CRUD – [`webhooks/everything.ts`](examples/webhooks/everything.ts)
- Verifying webhook signatures – [`webhooks/verify-signature.ts`](examples/webhooks/verify-signature.ts)

Email Sandbox (Testing):

Expand Down
27 changes: 27 additions & 0 deletions examples/webhooks/verify-signature.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
import { createServer, IncomingMessage, ServerResponse } from "http";

import { verifyWebhookSignature } from "mailtrap";

const SIGNING_SECRET = process.env.MAILTRAP_WEBHOOK_SIGNING_SECRET ?? "";

const server = createServer((req: IncomingMessage, res: ServerResponse) => {
// Use the raw request body — parsing and re-serializing the JSON may
// reorder keys or alter whitespace and invalidate the signature.
const chunks: Buffer[] = [];
req.on("data", (chunk: Buffer) => chunks.push(chunk));
req.on("end", () => {
const payload = Buffer.concat(chunks).toString("utf-8");
const signature = (req.headers["mailtrap-signature"] as string) ?? "";

if (!verifyWebhookSignature(payload, signature, SIGNING_SECRET)) {
res.writeHead(401, { "Content-Type": "text/plain" });
res.end("Invalid signature");
return;
}

res.writeHead(200, { "Content-Type": "text/plain" });
res.end();
});
Comment on lines +10 to +24
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a request body size limit to prevent memory DoS.
The example buffers the entire webhook body without bounds; a large request can exhaust memory. Enforce a max byte limit while streaming (e.g., return 413 and stop reading) before Buffer.concat(...) and signature verification.

  • Also normalize req.headers["mailtrap-signature"] to handle string[] | undefined instead of casting to string.
Suggested patch 
+const MAX_BODY_BYTES = 1024 * 1024; // 1MB example limit
+
 const server = createServer((req: IncomingMessage, res: ServerResponse) => {
   // Use the raw request body — parsing and re-serializing the JSON may
   // reorder keys or alter whitespace and invalidate the signature.
   const chunks: Buffer[] = [];
+  let total = 0;
   req.on("data", (chunk: Buffer) => chunks.push(chunk));
+  req.on("data", (chunk: Buffer) => {
+    total += chunk.length;
+    if (total > MAX_BODY_BYTES) {
+      res.writeHead(413, { "Content-Type": "text/plain" });
+      res.end("Payload too large");
+      req.destroy();
+    }
+  });
   req.on("end", () => {
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/webhooks/verify-signature.ts` around lines 10 - 24, Add a streaming
size limit to the webhook body collection: in the req.on("data") handler for the
chunks array, track accumulated bytes and if it exceeds a configurable max
(e.g., MAX_PAYLOAD_BYTES) immediately stop reading, respond with 413 and end the
request, and ensure you clean up listeners / destroy the socket to avoid
continuing to buffer; only call Buffer.concat(...) and
verifyWebhookSignature(payload, signature, SIGNING_SECRET) when under the limit.
Also stop casting the header to string — normalize
req.headers["mailtrap-signature"] (which may be string | string[] | undefined)
into a single string (e.g., take the first element or join with ",") before
passing it to verifyWebhookSignature so you handle all header shapes safely.

});

server.listen(9292);
149 changes: 149 additions & 0 deletions src/__tests__/lib/webhooks/verify-signature.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
import { createHmac } from "crypto";

import verifyWebhookSignature, {
SIGNATURE_HEX_LENGTH,
} from "../../../lib/webhooks/verify-signature";

// ---------------------------------------------------------------------------
// Cross-SDK fixture
//
// The (payload, signing_secret, expected_signature) triple below is the
// canonical fixture shared verbatim by every official Mailtrap SDK
// (mailtrap-ruby, mailtrap-python, mailtrap-php, mailtrap-nodejs,
// mailtrap-java, mailtrap-dotnet). Any change here MUST be mirrored in the
// equivalent test files in the other SDKs so the helpers stay byte-for-byte
// compatible across languages.
// ---------------------------------------------------------------------------
const FIXTURE_PAYLOAD =
'{"event":"delivery","sending_stream":"transactional","category":"welcome","message_id":"a8b1d8f6-1f8d-4a3c-9b2e-1a2b3c4d5e6f","email":"recipient@example.com","event_id":"f1e2d3c4-b5a6-7890-1234-567890abcdef","timestamp":1716070000}';
const FIXTURE_SIGNING_SECRET = "8d9a3c0e7f5b2d4a6c1e9f8b3a7d5c2e";
const FIXTURE_EXPECTED_SIGNATURE =
"6d262e2611cd09be1f948382b5c611d63b0e585c4c9c5e40139d6ac3876d5433";

describe("lib/webhooks/verify-signature: ", () => {
describe("verifyWebhookSignature(): ", () => {
// --- 1. Valid signature for given payload + secret ---------------------
it("returns true for valid signature, payload and secret.", () => {
expect(
verifyWebhookSignature(
FIXTURE_PAYLOAD,
FIXTURE_EXPECTED_SIGNATURE,
FIXTURE_SIGNING_SECRET
)
).toBe(true);
});

// --- 2. Wrong secret ---------------------------------------------------
it("returns false with a wrong signing secret.", () => {
expect(
verifyWebhookSignature(
FIXTURE_PAYLOAD,
FIXTURE_EXPECTED_SIGNATURE,
"ffffffffffffffffffffffffffffffff"
)
).toBe(false);
});

// --- 3. Payload tampered (one byte changed) ----------------------------
it("returns false when the payload is tampered.", () => {
const tampered = FIXTURE_PAYLOAD.replace("delivery", "Delivery");

expect(
verifyWebhookSignature(
tampered,
FIXTURE_EXPECTED_SIGNATURE,
FIXTURE_SIGNING_SECRET
)
).toBe(false);
});

// --- 4. Signature with wrong length ------------------------------------
it("returns false without throwing when the signature is too short.", () => {
const tooShort = FIXTURE_EXPECTED_SIGNATURE.slice(0, 31);

expect(() =>
verifyWebhookSignature(
FIXTURE_PAYLOAD,
tooShort,
FIXTURE_SIGNING_SECRET
)
).not.toThrow();

expect(
verifyWebhookSignature(
FIXTURE_PAYLOAD,
tooShort,
FIXTURE_SIGNING_SECRET
)
).toBe(false);
});

// --- 5. Signature with non-hex characters ------------------------------
it("returns false without throwing for a non-hex signature.", () => {
const notHex = "z".repeat(SIGNATURE_HEX_LENGTH);

expect(() =>
verifyWebhookSignature(FIXTURE_PAYLOAD, notHex, FIXTURE_SIGNING_SECRET)
).not.toThrow();

expect(
verifyWebhookSignature(FIXTURE_PAYLOAD, notHex, FIXTURE_SIGNING_SECRET)
).toBe(false);
});

// --- 6. Empty signature string -----------------------------------------
it("returns false for an empty signature string.", () => {
expect(
verifyWebhookSignature(FIXTURE_PAYLOAD, "", FIXTURE_SIGNING_SECRET)
).toBe(false);
});

// --- 7. Empty signing_secret -------------------------------------------
it("returns false for an empty signing secret.", () => {
expect(
verifyWebhookSignature(FIXTURE_PAYLOAD, FIXTURE_EXPECTED_SIGNATURE, "")
).toBe(false);
});

// --- 8. Empty payload + non-empty signature ----------------------------
it("returns false for an empty payload.", () => {
expect(
verifyWebhookSignature(
"",
FIXTURE_EXPECTED_SIGNATURE,
FIXTURE_SIGNING_SECRET
)
).toBe(false);
});

// --- 9. Known-good cross-SDK fixture -----------------------------------
it("matches the hardcoded HMAC-SHA256 digest for the shared fixture.", () => {
// Recompute the digest in-place so a regression in Node's crypto module
// or the fixture itself fails loudly: this is the byte-for-byte
// contract every other Mailtrap SDK must satisfy.
const computed = createHmac("sha256", FIXTURE_SIGNING_SECRET)
.update(FIXTURE_PAYLOAD)
.digest("hex");

expect(computed).toBe(FIXTURE_EXPECTED_SIGNATURE);
expect(
verifyWebhookSignature(
FIXTURE_PAYLOAD,
FIXTURE_EXPECTED_SIGNATURE,
FIXTURE_SIGNING_SECRET
)
).toBe(true);
});

// --- Bonus: accepts a Buffer payload -----------------------------------
it("accepts a Buffer payload equivalently to a UTF-8 string.", () => {
expect(
verifyWebhookSignature(
Buffer.from(FIXTURE_PAYLOAD, "utf-8"),
FIXTURE_EXPECTED_SIGNATURE,
FIXTURE_SIGNING_SECRET
)
).toBe(true);
});
});
});
3 changes: 2 additions & 1 deletion src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import MailtrapClient from "./lib/MailtrapClient";
import MailtrapTransport from "./lib/transport";
import verifyWebhookSignature from "./lib/webhooks/verify-signature";

export * from "./types/mailtrap";
export { MailtrapClient, MailtrapTransport };
export { MailtrapClient, MailtrapTransport, verifyWebhookSignature };
92 changes: 92 additions & 0 deletions src/lib/webhooks/verify-signature.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
import { createHmac, timingSafeEqual } from "crypto";

/**
* Hex-encoded HMAC-SHA256 signature length (SHA-256 produces 32 bytes / 64 hex chars).
*/
export const SIGNATURE_HEX_LENGTH = 64;

/**
* Verifies the HMAC-SHA256 signature of a Mailtrap webhook payload.
*
* Mailtrap signs every outbound webhook by computing
* `HMAC-SHA256(signing_secret, raw_request_body)` and sending the lowercase
* hex digest in the `Mailtrap-Signature` HTTP header. Compute the same digest
* on your side and compare it in constant time.
*
* The comparison is performed with {@link timingSafeEqual} to avoid timing
* side-channels.
*
* The function never throws on inputs that could plausibly arrive over the
* wire (empty strings, wrong-length signatures, non-hex characters, missing
* secret) — it simply returns `false`. This makes it safe to call directly
* from a request handler without wrapping in try/catch.
*
* @param payload - The raw request body, exactly as received. Accepts a
* UTF-8 `string` or a raw `Buffer`. **Do not** parse and re-serialize the
* JSON — re-encoding may reorder keys or alter whitespace and invalidate
* the signature. With Express, use
* `express.raw({ type: 'application/json' })` (or equivalent) on the
* webhook route so the body is preserved verbatim.
* @param signature - The value of the `Mailtrap-Signature` HTTP header
* (lowercase hex string).
* @param signingSecret - The webhook's `signing_secret`, returned by the
* Webhooks API on webhook creation.
* @returns `true` if the signature is valid for the given payload and
* secret, `false` otherwise.
*
* @see https://docs.mailtrap.io/email-api-smtp/advanced/webhooks#verifying-the-signature
*/
export default function verifyWebhookSignature(
payload: string | Buffer,
signature: string,
signingSecret: string
): boolean {
if (typeof signature !== "string" || signature.length === 0) {
return false;
}
if (typeof signingSecret !== "string" || signingSecret.length === 0) {
return false;
}
if (typeof payload !== "string" && !Buffer.isBuffer(payload)) {
return false;
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
if (payload.length === 0) {
return false;
}
if (signature.length !== SIGNATURE_HEX_LENGTH) {
return false;
}

let expected: string;
try {
expected = createHmac("sha256", signingSecret)
.update(payload)
.digest("hex");
} catch {
return false;
}

let expectedBuffer: Buffer;
let providedBuffer: Buffer;
try {
expectedBuffer = Buffer.from(expected, "hex");
providedBuffer = Buffer.from(signature, "hex");
} catch {
return false;
}

// `Buffer.from(str, 'hex')` silently drops trailing non-hex characters
// rather than throwing. Re-check the buffer lengths so a signature with
// non-hex characters (which produces a shorter decoded buffer) is rejected
// as a length mismatch instead of being silently accepted/rejected by
// `timingSafeEqual` — which itself throws on mismatched lengths.
if (expectedBuffer.length !== providedBuffer.length) {
return false;
}

try {
return timingSafeEqual(expectedBuffer, providedBuffer);
} catch {
return false;
}
}
Loading