storkit: create 388_story_whatsapp_webhook_hmac_signature_verification
This commit is contained in:
dave
@@ -17,6 +17,7 @@ As a bot operator, I want incoming WhatsApp webhook requests to be cryptographic
|
||||
- [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
|
||||
- [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
|
||||
- [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
|
||||
- [ ] MUST use audited crypto crates (hmac, sha2, sha1, base64) — no hand-rolled cryptographic primitives
|
||||
|
||||
## Out of Scope
|
||||
|
||||
|
||||
Reference in New Issue
Block a user