| """ |
| Module: api.middleware.webhook_verification |
| Description: Webhook signature verification middleware |
| Author: Anderson H. Silva |
| Date: 2025-01-25 |
| License: Proprietary - All rights reserved |
| """ |
|
|
| import hmac |
| import hashlib |
| import time |
| from typing import Optional, Dict, Any |
|
|
| from fastapi import Request, HTTPException, status |
| from starlette.middleware.base import BaseHTTPMiddleware |
| from starlette.responses import JSONResponse |
|
|
| from src.core import get_logger |
|
|
| logger = get_logger(__name__) |
|
|
|
|
| class WebhookVerificationMiddleware(BaseHTTPMiddleware): |
| """ |
| Middleware for verifying incoming webhook signatures. |
| |
| Protects endpoints that receive webhooks from external services. |
| """ |
| |
| def __init__( |
| self, |
| app, |
| webhook_paths: Optional[Dict[str, str]] = None, |
| max_timestamp_age: int = 300 |
| ): |
| """ |
| Initialize webhook verification middleware. |
| |
| Args: |
| app: FastAPI application |
| webhook_paths: Dict of path -> secret mapping |
| max_timestamp_age: Maximum age of timestamp in seconds |
| """ |
| super().__init__(app) |
| self.webhook_paths = webhook_paths or {} |
| self.max_timestamp_age = max_timestamp_age |
| |
| async def dispatch(self, request: Request, call_next): |
| """Process request with webhook verification.""" |
| |
| if request.url.path not in self.webhook_paths: |
| return await call_next(request) |
| |
| |
| secret = self.webhook_paths[request.url.path] |
| |
| try: |
| |
| body = await request.body() |
| |
| |
| if not self._verify_signature(request, body, secret): |
| logger.warning( |
| "webhook_signature_verification_failed", |
| path=request.url.path, |
| headers=dict(request.headers) |
| ) |
| |
| return JSONResponse( |
| status_code=status.HTTP_401_UNAUTHORIZED, |
| content={ |
| "detail": "Invalid webhook signature", |
| "error": "INVALID_SIGNATURE" |
| } |
| ) |
| |
| |
| if not self._verify_timestamp(request): |
| logger.warning( |
| "webhook_timestamp_verification_failed", |
| path=request.url.path |
| ) |
| |
| return JSONResponse( |
| status_code=status.HTTP_401_UNAUTHORIZED, |
| content={ |
| "detail": "Webhook timestamp too old", |
| "error": "TIMESTAMP_TOO_OLD" |
| } |
| ) |
| |
| |
| request.state.webhook_body = body |
| |
| |
| return await call_next(request) |
| |
| except Exception as e: |
| logger.error( |
| "webhook_verification_error", |
| error=str(e), |
| exc_info=True |
| ) |
| |
| return JSONResponse( |
| status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, |
| content={ |
| "detail": "Webhook verification error", |
| "error": "VERIFICATION_ERROR" |
| } |
| ) |
| |
| def _verify_signature( |
| self, |
| request: Request, |
| body: bytes, |
| secret: str |
| ) -> bool: |
| """Verify webhook signature.""" |
| |
| signature_header = ( |
| request.headers.get("X-Cidadao-Signature") or |
| request.headers.get("X-Webhook-Signature") or |
| request.headers.get("X-Hub-Signature-256") |
| ) |
| |
| if not signature_header: |
| logger.debug("No signature header found") |
| return False |
| |
| |
| if "=" in signature_header: |
| algorithm, signature = signature_header.split("=", 1) |
| else: |
| algorithm = "sha256" |
| signature = signature_header |
| |
| |
| if algorithm == "sha256": |
| expected = hmac.new( |
| secret.encode(), |
| body, |
| hashlib.sha256 |
| ).hexdigest() |
| elif algorithm == "sha1": |
| expected = hmac.new( |
| secret.encode(), |
| body, |
| hashlib.sha1 |
| ).hexdigest() |
| else: |
| logger.warning(f"Unsupported signature algorithm: {algorithm}") |
| return False |
| |
| |
| return hmac.compare_digest(signature, expected) |
| |
| def _verify_timestamp(self, request: Request) -> bool: |
| """Verify webhook timestamp is recent.""" |
| timestamp_header = ( |
| request.headers.get("X-Cidadao-Timestamp") or |
| request.headers.get("X-Webhook-Timestamp") |
| ) |
| |
| if not timestamp_header: |
| |
| return True |
| |
| try: |
| |
| if timestamp_header.isdigit(): |
| |
| webhook_time = float(timestamp_header) |
| else: |
| |
| from dateutil.parser import parse |
| webhook_time = parse(timestamp_header).timestamp() |
| |
| |
| current_time = time.time() |
| age = abs(current_time - webhook_time) |
| |
| return age <= self.max_timestamp_age |
| |
| except Exception as e: |
| logger.error(f"Failed to parse timestamp: {e}") |
| return False |
|
|
|
|
| def create_webhook_signature( |
| payload: bytes, |
| secret: str, |
| algorithm: str = "sha256" |
| ) -> str: |
| """ |
| Create webhook signature for outgoing webhooks. |
| |
| Args: |
| payload: Request body |
| secret: Webhook secret |
| algorithm: Hash algorithm (sha256, sha1) |
| |
| Returns: |
| Signature string with format "algorithm=signature" |
| """ |
| if algorithm == "sha256": |
| signature = hmac.new( |
| secret.encode(), |
| payload, |
| hashlib.sha256 |
| ).hexdigest() |
| elif algorithm == "sha1": |
| signature = hmac.new( |
| secret.encode(), |
| payload, |
| hashlib.sha1 |
| ).hexdigest() |
| else: |
| raise ValueError(f"Unsupported algorithm: {algorithm}") |
| |
| return f"{algorithm}={signature}" |
|
|
|
|
| def verify_webhook_signature( |
| signature: str, |
| payload: bytes, |
| secret: str |
| ) -> bool: |
| """ |
| Verify webhook signature. |
| |
| Args: |
| signature: Signature header value |
| payload: Request body |
| secret: Webhook secret |
| |
| Returns: |
| True if signature is valid |
| """ |
| try: |
| |
| if "=" in signature: |
| algorithm, sig = signature.split("=", 1) |
| else: |
| algorithm = "sha256" |
| sig = signature |
| |
| |
| expected = create_webhook_signature(payload, secret, algorithm) |
| |
| |
| if "=" in expected: |
| _, expected_sig = expected.split("=", 1) |
| else: |
| expected_sig = expected |
| |
| |
| return hmac.compare_digest(sig, expected_sig) |
| |
| except Exception as e: |
| logger.error(f"Signature verification error: {e}") |
| return False |
|
|
|
|
| class WebhookSigner: |
| """Helper class for signing webhook requests.""" |
| |
| def __init__(self, secret: str, algorithm: str = "sha256"): |
| """Initialize webhook signer.""" |
| self.secret = secret |
| self.algorithm = algorithm |
| |
| def sign(self, payload: bytes) -> Dict[str, str]: |
| """ |
| Generate webhook headers with signature. |
| |
| Args: |
| payload: Request body |
| |
| Returns: |
| Dict of headers to include in request |
| """ |
| signature = create_webhook_signature( |
| payload, |
| self.secret, |
| self.algorithm |
| ) |
| |
| timestamp = str(int(time.time())) |
| |
| return { |
| "X-Cidadao-Signature": signature, |
| "X-Cidadao-Timestamp": timestamp, |
| "X-Cidadao-Algorithm": self.algorithm |
| } |
