dave/storkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 10 Wiki Activity

storkit: create 388_story_whatsapp_webhook_hmac_signature_verification

Browse Source
This commit is contained in:
dave
2026-03-25 14:08:00 +00:00
parent 775b9ac7e3
commit fae7b3be20
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
View File

@@ -17,6 +17,7 @@ As a bot operator, I want incoming WhatsApp webhook requests to be cryptographic
- [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden - [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
- [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected - [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
- [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification) - [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
- [ ] MUST use audited crypto crates (hmac, sha2, sha1, base64) — no hand-rolled cryptographic primitives
## Out of Scope ## Out of Scope