MT-22022: Add webhook signature verification helper

[Rabsztok]

Motivation

Expose a helper so PHP users don't have to re-implement Mailtrap's HMAC-SHA256 webhook signature check on every receiver.

• Algorithm: https://docs.mailtrap.io/email-api-smtp/advanced/webhooks#verifying-the-signature
• Jira: MT-22022

Changes

• Mailtrap\Helper\WebhookSignature::verify(string $payload, string $signature, string $signingSecret): bool. HMAC-SHA256 over the raw body, constant-time compare via hash_equals. Returns false (never throws) on empty / wrong-length inputs.
• tests/Helper/WebhookSignatureTest.php pins the cross-SDK fixture (payload + signing_secret + expected digest) shared verbatim across all six official Mailtrap SDKs to guarantee byte-for-byte parity.
• examples/webhooks/verify_signature.php — runnable usage snippet.
• README — new "Verifying webhook signatures" subsection.

How to test

CI runs the full phpunit suite. Manually:

php examples/webhooks/verify_signature.php

The script should exit 0 with no output.

Companion PRs

Coordinated rollout across all six official SDKs (same algorithm, same shared fixture):

• mailtrap-ruby#110
• mailtrap-python#67
• mailtrap-php#66 (this PR)
• mailtrap-nodejs#130
• mailtrap-java#53
• mailtrap-dotnet#242

Summary by CodeRabbit

• New Features

  • Webhook signature verification using HMAC-SHA256 now available to ensure incoming webhooks are authentic and secure

• Documentation

  • Documentation and practical examples added explaining webhook signature verification implementation and best practices

• Tests

  • Comprehensive test suite added validating webhook signature verification behavior across multiple scenarios and edge cases

[coderabbitai]

Warning

Review limit reached

@Rabsztok, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 29 minutes and 57 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d8c6c659-4c07-4888-ac9c-a71f718bc77a

📥 Commits

Reviewing files that changed from the base of the PR and between d5be921 and 3d0abfb.

📒 Files selected for processing (4)

• README.md
• examples/webhooks/verify_signature.php
• src/Helper/WebhookSignature.php
• tests/Helper/WebhookSignatureTest.php

📝 Walkthrough

Walkthrough

This PR adds webhook signature verification for Mailtrap. It introduces a new WebhookSignature helper class that verifies HMAC-SHA256 signatures using constant-time comparison, comprehensive test coverage validating both valid and invalid signature scenarios, and documentation with usage examples.

Changes

Webhook Signature Verification

Layer / File(s)	Summary
Webhook signature verification implementation src/Helper/WebhookSignature.php	Introduces Mailtrap\Helper\WebhookSignature with SIGNATURE_HEX_LENGTH constant and a verify() method that computes HMAC-SHA256 over raw webhook payload, validates inputs (non-empty, expected hex length), and returns false for invalid or mismatched signatures using hash_equals() for constant-time comparison.
Signature verification tests tests/Helper/WebhookSignatureTest.php	Adds PHPUnit test suite with cross-SDK fixture constants (payload, signing secret, expected signature) and nine test methods validating: valid signature+secret returns true; wrong secret, tampered payload, too-short signature, non-hex characters, empty signature, empty secret, and empty payload all return false without exceptions; cross-SDK regression test confirms HMAC-SHA256 digest computation.
Documentation and examples README.md, examples/webhooks/verify_signature.php	Documents webhook signature verification workflow in README explaining raw request body requirement and Mailtrap-Signature header validation, with PHP example calling WebhookSignature::verify(). Standalone example script demonstrates correct usage and confirms invalid/malformed signatures return false.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• leonid-shevtsov
• IgorDobryn
• i7an
• yanchuk

Poem

🐰 A bunny hops through webhook lands,
With HMAC-SHA256 in paws and hands,
Signatures verified, constant and true,
Cross-SDK tested—the whole PR shines through! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding a webhook signature verification helper class to the Mailtrap PHP SDK.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description includes all required sections and provides comprehensive detail about motivation, specific changes, testing instructions, and coordination with companion PRs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch MT-22022-webhook-signature-verification

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Rabsztok]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

examples/webhooks/verify_signature.php (1)

14-18: ⚡ Quick win

Replace assert() with explicit checks for deterministic example behavior

Lines 14–18 use assert(), which is disabled by default in production PHP (zend.assertions=0) and in various configurations, causing the example to silently pass even if verification fails. Executable examples should fail deterministically.

Suggested replacement using explicit checks

-assert(WebhookSignature::verify($payload, $signature, $signingSecret) === true);
+if (!WebhookSignature::verify($payload, $signature, $signingSecret)) {
+    fwrite(STDERR, "Expected valid signature to pass\n");
+    exit(1);
+}
@@
-assert(WebhookSignature::verify($payload, 'not-hex', $signingSecret) === false);
-assert(WebhookSignature::verify($payload, '', $signingSecret) === false);
+if (WebhookSignature::verify($payload, 'not-hex', $signingSecret)) {
+    fwrite(STDERR, "Expected malformed signature to fail\n");
+    exit(1);
+}
+if (WebhookSignature::verify($payload, '', $signingSecret)) {
+    fwrite(STDERR, "Expected empty signature to fail\n");
+    exit(1);
+}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@examples/webhooks/verify_signature.php` around lines 14 - 18, Replace the
usage of assert() around WebhookSignature::verify($payload, $signature,
$signingSecret) with explicit deterministic checks: call
WebhookSignature::verify for the valid case and for the bad inputs ($signature =
'not-hex' and ''), then if the results are not the expected booleans throw an
exception or exit with a non-zero status (or print an error and exit) so the
example fails deterministically; ensure you reference the
WebhookSignature::verify call and the $payload, $signature, and $signingSecret
variables when implementing the explicit pass/fail checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Line 292: The snippet uses a falsy-coercing operator
("file_get_contents('php://input') ?: ''") which will turn valid raw payloads
like "0" into an empty string; replace it with a non-coercing form so raw bytes
are preserved for signature checks: call file_get_contents('php://input') once
into a variable (e.g. $raw = file_get_contents('php://input')) and then use
($raw === false ? '' : $raw) (or set $raw = '' only when file_get_contents
returns === false) instead of using ?: to ensure "0" and other falsy-but-valid
payloads are not mutated.

---

Nitpick comments:
In `@examples/webhooks/verify_signature.php`:
- Around line 14-18: Replace the usage of assert() around
WebhookSignature::verify($payload, $signature, $signingSecret) with explicit
deterministic checks: call WebhookSignature::verify for the valid case and for
the bad inputs ($signature = 'not-hex' and ''), then if the results are not the
expected booleans throw an exception or exit with a non-zero status (or print an
error and exit) so the example fails deterministically; ensure you reference the
WebhookSignature::verify call and the $payload, $signature, and $signingSecret
variables when implementing the explicit pass/fail checks.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6bc5d157-5df0-4e94-904f-e3fe90413fa0

📥 Commits

Reviewing files that changed from the base of the PR and between 6f88094 and d5be921.

📒 Files selected for processing (4)

• README.md
• examples/webhooks/verify_signature.php
• src/Helper/WebhookSignature.php
• tests/Helper/WebhookSignatureTest.php