[Bug]: lowercased webhook signature header not recognized by `validateWebhook`

Question

[Bug]: lowercased webhook signature header not recognized by `validateWebhook`

Closed this issue a year ago · 3 comments

thyming commented a year ago

Software Version

6.7.0

Language Version

Node 16

Operating System

Linux

What happened?

Tried to validate a signature
Library says it's not valid

What was expected?

validateWebhook is case-insensitive looking for the signature header.
fastify, for example, lowercases all incoming headers and the http spec says headers are case insensitive.

Sample Code

No response

Relevant logs

No response

Answer 1 · 2023-08-07T19:03:00.000Z

Hey there, thanks for writing in! Can you help me understand the need for this? EasyPost should be sending these headers title cased as the code is already written. Are you saying you are receiving webhooks that have a lowercased header?

Answer 2 · 2023-08-07T19:54:53.000Z

Yes, for example fastify lowercases all incoming headers.
Also, in http2, headers are explicitly required to be lowercased as part of the spec.
fastify/help#71

Answer 3 · 2023-08-07T21:32:59.000Z

Ah I see, your integration is using fastify so by the time your code gets the header, it's already been lowercased?

This is interesting. Your proposed solution should do the trick. We'll maybe want to revisit this holistically in the future but can move on this in the time being.