validateWebhook adds the token to the list of seen ones, before validating the token is valid. This means an attacker could repeatedly send invalid requests to the server and trigger an OOM. Furthermore the attacker could send a large enough token, and trigger the OOM more quickly.
Also, in order to limit the memory consumption I'd either:
allow to configure mailgunExpirey to a lower value
First option may accept the same request twice, but is the safest to prevent excessive memory usage in case of high traffic. The size could be a config.
validateWebhookadds the token to the list of seen ones, before validating the token is valid. This means an attacker could repeatedly send invalid requests to the server and trigger an OOM. Furthermore the attacker could send a large enough token, and trigger the OOM more quickly.Also, in order to limit the memory consumption I'd either:
mailgunExpireyto a lower valueFirst option may accept the same request twice, but is the safest to prevent excessive memory usage in case of high traffic. The size could be a config.