Verify-webhook-signature (#60)

Author: Icegreeen

src/Http/Controllers/WebhookController.php

@@ -33,6 +33,11 @@ public function __construct()
     public function handleWebhook(Request $request): Response
     {
         $payload = json_decode($request->getContent(), true);
+
+        if(is_null($payload) || !isset($payload['type'])) {
+            return new Response('Invalid payload', 400);
+        }
+
         $method = 'handle' . Str::studly(str_replace('.', '_', $payload['type']));
 
         if (method_exists($this, $method)) {

src/Http/Middleware/VerifyWebhookSignature.php

@@ -19,9 +19,7 @@ class VerifyWebhookSignature
     public function handle(Request $request, Closure $next)
     {
         try {
-            $headers = collect($request->headers->all())->transform(function ($item) {
-                return $item[0];
-            })->all();
+            $headers = $this->getTransformedHeaders($request);
 
             WebhookSignature::verify(
                 $request->getContent(),
@@ -35,4 +33,22 @@ public function handle(Request $request, Closure $next)
 
         return $next($request);
     }
+
+    /**
+     * Transform headers to a simple associative array.
+     * This method extracts the first value from each header and returns an array where each key is the header name and the associated value is that first header value
+     *
+     * @param \Illuminate\Http\Request $request
+     * @return array
+     */
+
+     protected function getTransformedHeaders(Request $request): array
+     {
+         $headers = [];
+         foreach($request->headers->all() as $key => $value) {
+             $headers[$key] = $value[0];
+         }
+
+         return $headers;
+     }
 }

tests/Http/Controllers/WebhookController.php

@@ -63,3 +63,16 @@
 
     Event::assertNothingDispatched();
 });
+
+// This function creates a new Request object with a JSON body that does not include the fields expected by your controller.
+function invalidWebhookRequest() {
+    return new Illuminate\Http\Request([], [], [], [], [], ['CONTENT_TYPE' => 'application/json'], json_encode(['invalid' => 'data']));
+}
+
+test('it returns an error response for invalid payload', function() {
+    $request = invalidWebhookRequest();
+
+    $response = (new Controller)->handleWebhook($request);
+
+    expect($response->getStatusCode())->toBe(400);
+});

tests/Http/Middleware/VerifyWebhookSignature.php

@@ -46,3 +46,16 @@ function withSignature(Request $request, string $secret, int $timestamp): void
         return new Response('OK');
     });
 })->throws(AccessDeniedHttpException::class, 'Message timestamp too new');
+
+test('it rejects a request with invalid signature', function () {
+    $request = Request::create('/webhook', 'POST', [], [], [], [], json_encode(['data' => 'test']));
+    $request->headers->set('Signature', 'invalid_signature');
+
+    $middleware = new VerifyWebhookSignature();
+
+    $this->expectException(AccessDeniedHttpException::class);
+
+    $middleware->handle($request, function ($req) {
+        return new Response('OK', 200);
+    });
+});