fix: verify incident webhook signatures

[RachanaB5]

Closes #1539

Summary

• add signed incident webhook verification using x-incident-signature-256
• require INCIDENT_WEBHOOK_SECRET before processing incident payloads
• reject missing or unsafe incident target query parameters
• add unit coverage for valid signatures, invalid signatures, and target validation

Security Impact

Prevents forged incident webhook requests from triggering deployment correlation and rollback PR preparation.

Testing

• npm test -- --runTestsByPath lib/__tests__/incidentWebhook.test.ts
• git diff --check

Summary by CodeRabbit

• New Features

  • Webhook endpoint now validates all incoming requests using cryptographic signature verification before processing.
  • Enhanced webhook handler to dynamically extract and validate integration target parameters directly from the request URL, replacing hardcoded configuration values.

• Tests

  • Added comprehensive test suite validating signature verification with various scenarios including valid signatures, missing secrets, invalid headers, and payload mismatches.

[vercel]

@RachanaB5 is attempting to deploy a commit to the Nisshchaya's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a8a8eb50-f7a6-42b8-838b-c2657af9c8e0

📥 Commits

Reviewing files that changed from the base of the PR and between 6b078b6 and 94220c9.

📒 Files selected for processing (3)

• app/api/integrations/incidents/webhook/route.ts
• lib/__tests__/incidentWebhook.test.ts
• lib/utils/incidentWebhook.ts

---

📝 Walkthrough

Walkthrough

This PR hardens the incident webhook endpoint against forged requests by adding HMAC-SHA256 signature verification and URL parameter validation. The handler now rejects unauthorized requests with 401 and invalid target parameters with 400 before processing incidents.

Changes

Incident Webhook Security Hardening

Layer / File(s)	Summary
Webhook signature verification and target parsing utilities lib/utils/incidentWebhook.ts	verifyIncidentWebhookSignature validates HMAC-SHA256 signatures from the x-incident-signature-256 header using a trimmed webhook secret and constant-time comparison; parseIncidentTarget extracts installationId, owner, and repo from URL search parameters, validating the installation ID as a positive safe integer and repository names against a restricted character set.
Webhook handler endpoint with security checks app/api/integrations/incidents/webhook/route.ts	The POST handler reads the request body as raw text, verifies the signature before parsing JSON, returns 401 if verification fails, extracts target parameters using parseIncidentTarget, and returns 400 if required parameters are missing or invalid.
Signature verification and target parsing tests lib/__tests__/incidentWebhook.test.ts	Jest test suite covers verifyIncidentWebhookSignature acceptance/rejection of valid/invalid/missing signatures and secrets, and parseIncidentTarget extraction of valid parameters and rejection of missing or unsafe values.

Sequence Diagram

sequenceDiagram
  participant Caller
  participant WebhookHandler
  participant VerifySignature as verifyIncidentWebhookSignature
  participant ParseTarget as parseIncidentTarget
  participant IncidentProcessor
  
  Caller->>WebhookHandler: POST /webhook + raw body + x-incident-signature-256
  WebhookHandler->>VerifySignature: (rawBody, signatureHeader, webhookSecret)
  VerifySignature->>VerifySignature: Extract sha256= prefix
  VerifySignature->>VerifySignature: HMAC-SHA256(rawBody)
  VerifySignature->>VerifySignature: timingSafeEqual(computed, provided)
  VerifySignature-->>WebhookHandler: true/false
  alt Signature Invalid
    WebhookHandler-->>Caller: 401 Unauthorized
  else Signature Valid
    WebhookHandler->>WebhookHandler: Parse JSON body
    WebhookHandler->>ParseTarget: (URLSearchParams)
    ParseTarget->>ParseTarget: Validate installationId (positive safe integer)
    ParseTarget->>ParseTarget: Validate owner/repo (restricted charset)
    ParseTarget-->>WebhookHandler: { installationId, owner, repo } or null
    alt Target Missing/Invalid
      WebhookHandler-->>Caller: 400 Bad Request
    else Target Valid
      WebhookHandler->>IncidentProcessor: Process incident with validated target
      IncidentProcessor-->>Caller: 200 OK
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

security, bug, level:intermediate

🐰 A webhook once ran wild and free,
With forged requests, unsafe as can be—
But now HMAC guards the gate,
And validates targets before they're too late!
SHA-256 keeps the incidents true, 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: verify incident webhook signatures' directly and clearly summarizes the main change: adding webhook signature verification to secure the incident webhook endpoint.
Linked Issues check	✅ Passed	The PR fully addresses all coding requirements from issue #1539: implements HMAC-SHA256 signature verification using x-incident-signature-256 header and INCIDENT_WEBHOOK_SECRET, enforces dynamic extraction of required target parameters, rejects invalid inputs, and adds comprehensive unit tests.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the webhook signature verification requirement: signature verification utility, target parameter parsing, webhook route handler updates, and corresponding tests. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 Thanks for your contribution, @RachanaB5!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (154 lines across 3 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi

[github-actions]

🎉 Thanks for your contribution, @RachanaB5!

Your PR has passed our automated GSSoC quality checks. Here's a quick summary:

Check	Status
PR description	✅ Provided
PR title	✅ Meaningful
Linked issue	✅ Found
Change size	✅ Looks good (154 lines across 3 file(s))

A maintainer will review your PR soon. Please be patient and available for feedback. 💪

GSSoC'26 automation · Maintainer: @nisshchayarathi