MT-22022: Add webhook signature verification helper#242
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (9)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Add `Mailtrap.Webhooks.WebhookSignature.Verify(string payload, string signature, string signingSecret)` for verifying Mailtrap webhook signatures using HMAC-SHA256 over the raw request body with a constant-time byte-array comparison. Returns false (no throw) for null/empty/malformed/wrong-length signatures and non-hex characters, so a single guard at the request handler covers every bad-input case. The helper ships in `Mailtrap.Abstractions` (netstandard2.0) and uses its own hex parser and constant-time compare since `CryptographicOperations.FixedTimeEquals` is not available there. Includes the shared cross-SDK test fixture (payload + secret + expected signature) that all six Mailtrap SDKs use to stay byte-for-byte compatible, plus an ASP.NET Core receiver example and README subsection. See https://railsware.atlassian.net/browse/MT-22022
Rabsztok
force-pushed
the
MT-22022-webhook-signature-verification
branch
from
c91e748 to
03fb0ba
Compare
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
|
||
| Each example includes detailed comments and demonstrates best practices for error handling, configuration, and resource management. | ||
|
|
||
| ### Verifying webhook signatures |
There was a problem hiding this comment.
I don't think we need it in this general README. We kept code samples here to the core functionality which is sending mail.
|
|
||
| // --- Direct verification (e.g. for unit tests or custom routers) ---------- | ||
| var payload = "{\"event\":\"delivery\",\"message_id\":\"abc-123\"}"; | ||
| var signingSecret = "8d9a3c0e7f5b2d4a6c1e9f8b3a7d5c2e"; |
There was a problem hiding this comment.
I would leave the secret and actual signature for users to fill in. Same as we do in other examples with object IDs
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
3 participants
Motivation
Expose a helper so .NET users don't have to re-implement Mailtrap's HMAC-SHA256 webhook signature check on every receiver.
Changes
Mailtrap.Webhooks.WebhookSignature.Verify(string payload, string signature, string signingSecret): boolinMailtrap.Abstractions(netstandard2.0). HMAC-SHA256 over the raw body, hand-rolled constant-time byte-array compare (sinceCryptographicOperations.FixedTimeEqualsis unavailable onnetstandard2.0), hand-rolledTryParseHexso non-hex inputs returnfalserather than throw. Returnsfalse(never throws) onnull/ empty / wrong-length / non-hex inputs.tests/Mailtrap.UnitTests/Webhooks/WebhookSignatureTests.cspins the cross-SDK fixture (payload + signing_secret + expected digest) shared verbatim across all six official Mailtrap SDKs to guarantee byte-for-byte parity.examples/Mailtrap.Example.WebhookSignature/— new dedicated console project with a runnable usage snippet, added toMailtrap.sln.How to test
CI runs
dotnet buildand the full unit test suite. Manually:The example should exit 0 with no output.
Companion PRs
Coordinated rollout across all six official SDKs (same algorithm, same shared fixture):