Fix Insecure Webhooks in Spiral

Spiral's high-performance RoadRunner core won't save you from a logic flaw. Insecure webhooks are a prime target for payload spoofing and RCE. If your endpoint processes incoming POST requests without cryptographic verification, you're effectively providing an unauthenticated API to the entire internet. We fix this by enforcing HMAC signature validation on the raw request body.

The Vulnerable Pattern

public function handle(ServerRequestInterface $request): ResponseInterface
{
    // VULNERABLE: Blindly trusting the parsed body
    $data = $request->getParsedBody();
$this->orderService->updateStatus($data['order_id'], $data['status']);

return new Response(200);
}

The Secure Implementation

The fix implements a strict HMAC SHA256 verification layer. First, we extract the raw stream from the PSR-7 request object before any middleware potentially mutates it. We then compute the expected signature using a shared secret and compare it against the provided header using hash_equals(). This constant-time comparison is critical to mitigate timing-based side-channel attacks. Only after the identity of the sender is cryptographically proven do we proceed to decode the JSON and execute business logic.

public function handle(ServerRequestInterface $request): ResponseInterface
{
    $signature = $request->getHeaderLine('X-Hub-Signature-256');
    $payload = (string)$request->getBody();
    $secret = $this->config->get('webhook.secret');
if (empty($signature)) {
    return new Response(401);
}

$expected = 'sha256=' . hash_hmac('sha256', $payload, $secret);

// Use hash_equals to prevent timing attacks
if (!hash_equals($expected, $signature)) {
    return new Response(403);
}

$data = json_decode($payload, true);
$this->orderService->updateStatus($data['order_id'], $data['status']);

return new Response(200);
}