[Bug]: lowercased webhook signature header not recognized by `validateWebhook`

EasyPost / easypost-node

EasyPost Shipping API Client Library for Node

https://easypost.com/docs/api

MIT License

139 stars 54 forks source link

[Bug]: lowercased webhook signature header not recognized by `validateWebhook` #399

Closed thyming closed 1 year ago

thyming commented 1 year ago

Software Version

6.7.0

Language Version

Node 16

Operating System

Linux

What happened?

Tried to validate a signature
Library says it's not valid

What was expected?

validateWebhook is case-insensitive looking for the signature header. fastify, for example, lowercases all incoming headers and the http spec says headers are case insensitive.

Sample Code

No response

Relevant logs

No response

Justintime50 commented 1 year ago

Hey there, thanks for writing in! Can you help me understand the need for this? EasyPost should be sending these headers title cased as the code is already written. Are you saying you are receiving webhooks that have a lowercased header?

thyming commented 1 year ago

Yes, for example fastify lowercases all incoming headers. Also, in http2, headers are explicitly required to be lowercased as part of the spec. https://github.com/fastify/help/issues/71

Justintime50 commented 1 year ago

Ah I see, your integration is using fastify so by the time your code gets the header, it's already been lowercased?

This is interesting. Your proposed solution should do the trick. We'll maybe want to revisit this holistically in the future but can move on this in the time being.