let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

line: centralize webhook signature validation

Browse Source
This commit is contained in:
Shadow
2026-01-26 19:10:11 -06:00
committed by Shadow
parent 3b8792ee29
commit e0dc49f287
4 changed files with 48 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/line/monitor.ts
View File

@@ -1,10 +1,10 @@
import type { WebhookRequestBody } from "@line/bot-sdk"; import type { WebhookRequestBody } from "@line/bot-sdk";
import type { IncomingMessage, ServerResponse } from "node:http"; import type { IncomingMessage, ServerResponse } from "node:http";
import crypto from "node:crypto";
import type { ClawdbotConfig } from "../config/config.js"; import type { ClawdbotConfig } from "../config/config.js";
import { danger, logVerbose } from "../globals.js"; import { danger, logVerbose } from "../globals.js";
import type { RuntimeEnv } from "../runtime.js"; import type { RuntimeEnv } from "../runtime.js";
import { createLineBot } from "./bot.js"; import { createLineBot } from "./bot.js";
import { validateLineSignature } from "./signature.js";
import { normalizePluginHttpPath } from "../plugins/http-path.js"; import { normalizePluginHttpPath } from "../plugins/http-path.js";
import { registerPluginHttpRoute } from "../plugins/http-registry.js"; import { registerPluginHttpRoute } from "../plugins/http-registry.js";
import { import {
@@ -85,11 +85,6 @@ export function getLineRuntimeState(accountId: string) {
return runtimeState.get(`line:${accountId}`); return runtimeState.get(`line:${accountId}`);
} }
function validateLineSignature(body: string, signature: string, channelSecret: string): boolean {
const hash = crypto.createHmac("SHA256", channelSecret).update(body).digest("base64");
return hash === signature;
}
async function readRequestBody(req: IncomingMessage): Promise<string> { async function readRequestBody(req: IncomingMessage): Promise<string> {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
const chunks: Buffer[] = []; const chunks: Buffer[] = [];

27
src/line/signature.test.ts Normal file
View File

@@ -0,0 +1,27 @@
import crypto from "node:crypto";
import { describe, expect, it } from "vitest";
import { validateLineSignature } from "./signature.js";
const sign = (body: string, secret: string) =>
crypto.createHmac("SHA256", secret).update(body).digest("base64");
describe("validateLineSignature", () => {
it("accepts valid signatures", () => {
const secret = "secret";
const rawBody = JSON.stringify({ events: [{ type: "message" }] });
expect(validateLineSignature(rawBody, sign(rawBody, secret), secret)).toBe(true);
});
it("rejects signatures computed with the wrong secret", () => {
const rawBody = JSON.stringify({ events: [{ type: "message" }] });
expect(validateLineSignature(rawBody, sign(rawBody, "wrong-secret"), "secret")).toBe(false);
});
it("rejects signatures with a different length", () => {
const rawBody = JSON.stringify({ events: [{ type: "message" }] });
expect(validateLineSignature(rawBody, "short", "secret")).toBe(false);
});
});

18
src/line/signature.ts Normal file
View File

@@ -0,0 +1,18 @@
import crypto from "node:crypto";
export function validateLineSignature(
body: string,
signature: string,
channelSecret: string,
): boolean {
const hash = crypto.createHmac("SHA256", channelSecret).update(body).digest("base64");
const hashBuffer = Buffer.from(hash);
const signatureBuffer = Buffer.from(signature);
// Use constant-time comparison to prevent timing attacks.
if (hashBuffer.length !== signatureBuffer.length) {
return false;
}
return crypto.timingSafeEqual(hashBuffer, signatureBuffer);
}

18
src/line/webhook.ts
View File

@@ -1,8 +1,8 @@
import type { Request, Response, NextFunction } from "express"; import type { Request, Response, NextFunction } from "express";
import crypto from "node:crypto";
import type { WebhookRequestBody } from "@line/bot-sdk"; import type { WebhookRequestBody } from "@line/bot-sdk";
import { logVerbose, danger } from "../globals.js"; import { logVerbose, danger } from "../globals.js";
import type { RuntimeEnv } from "../runtime.js"; import type { RuntimeEnv } from "../runtime.js";
import { validateLineSignature } from "./signature.js";
export interface LineWebhookOptions { export interface LineWebhookOptions {
channelSecret: string; channelSecret: string;
@@ -10,20 +10,6 @@ export interface LineWebhookOptions {
runtime?: RuntimeEnv; runtime?: RuntimeEnv;
} }
function validateSignature(body: string, signature: string, channelSecret: string): boolean {
const hash = crypto.createHmac("SHA256", channelSecret).update(body).digest("base64");
const hashBuffer = Buffer.from(hash);
const signatureBuffer = Buffer.from(signature);
// Use constant-time comparison to prevent timing attacks
// Ensure buffers are same length before comparison to prevent timing leak
if (hashBuffer.length !== signatureBuffer.length) {
return false;
}
return crypto.timingSafeEqual(hashBuffer, signatureBuffer);
}
function readRawBody(req: Request): string | null { function readRawBody(req: Request): string | null {
const rawBody = const rawBody =
(req as { rawBody?: string | Buffer }).rawBody ?? (req as { rawBody?: string | Buffer }).rawBody ??
@@ -61,7 +47,7 @@ export function createLineWebhookMiddleware(options: LineWebhookOptions) {
return; return;
} }
if (!validateSignature(rawBody, signature, channelSecret)) { if (!validateLineSignature(rawBody, signature, channelSecret)) {
logVerbose("line: webhook signature validation failed"); logVerbose("line: webhook signature validation failed");
res.status(401).json({ error: "Invalid signature" }); res.status(401).json({ error: "Invalid signature" });
return; return;