Add webhook HMAC signature verification, nonce replay protection, and…

[uboho-prog]

… key rotation support

Pull Request Checklist

Quality Gates (All must pass before merge)

• Lint: Code passes ESLint and Prettier checks
• Type Check: TypeScript compilation succeeds
• Tests: All tests pass
• Build: Project builds successfully
• Rust Format: Smart contract formatting is correct
• Rust Clippy: Smart contract linting passes
• Rust Tests: All smart contract tests pass
• Rust Build: Smart contracts compile successfully

Additional Requirements

• New code has appropriate TypeScript types
• No hardcoded secrets or credentials
• New features have corresponding tests
• Documentation updated if needed

Reviewers

• At least 1 approval required for merge
• All CI checks must be green

---

This PR will not be mergeable until all quality gates pass.

---

close #605

Summary

This PR adds cryptographic verification and replay protection for incoming webhook callbacks.

What changed

• Added SignatureService to generate and verify HMAC-SHA256 webhook signatures
• Implemented timestamp tolerance and clock skew handling
• Added nonce replay protection with Redis-backed cache and in-memory fallback
• Added key rotation support with current/previous active keys
• Added Express middleware to auto-verify webhook requests
• Added a signature key management controller for inspection and rotation
• Added unit tests for signature generation, replay detection, timestamp tolerance, and key rotation

Acceptance criteria addressed

• Signature format: X-Signature: t=1678901234,s=base64sig,v=1,n=random_nonce
• HMAC-SHA256 over timestamp + '.' + body
• Timestamp tolerance default 5 minutes
• Clock skew tolerance default 30 seconds
• Nonce tracking with 10-minute TTL
• Replay detection via nonce cache
• Key rotation with two active keys
• Middleware enforcement for webhook endpoints

Testing

1. Install dependencies:

   npm install

[drips-wave]

@uboho-prog Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
34266369	Triggered	Generic Password	03bab23	backend/config/tests/redis.test.ts	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}