handle more complex validations (ie. stripe, slack)

mathieuancelin · mathieuancelin · commit 207de4d76e25 · 2026-02-26T11:26:19.000+01:00
diff --git a/readme.md b/readme.md
@@ -4,16 +4,19 @@ An [Otoroshi](https://github.com/MAIF/otoroshi) plugin that validates webhook pa
 
 ## How it works
 
-The plugin is provider-agnostic: the signature header, HMAC algorithm and prefix are all configurable.
+The plugin is provider-agnostic: the signature header, HMAC algorithm, prefix and signing payload template are all configurable.
 
 The plugin:
 
 1. Reads the raw request body.
-2. Computes `HMAC-<algorithm>(secret, rawBody)` using the configured secret and algorithm.
-3. Prepends the configured prefix to the hex-encoded hash to form the expected signature.
-4. Compares the result (constant-time, to prevent timing attacks) against the configured signature header.
-5. Forwards the request to your backend unchanged when the signature is valid.
-6. Returns **401 Unauthorized** when the signature is missing or invalid.
+2. Optionally resolves a timestamp (from a dedicated header or extracted from the signature header via regex).
+3. Builds the signing payload by applying the `signing_payload_template` (e.g. `{timestamp}.{body}` for Stripe, `v0:{timestamp}:{body}` for Slack, or plain `{body}` for most providers).
+4. Computes `HMAC-<algorithm>(secret, signingPayload)` using the configured secret and algorithm.
+5. Prepends the configured prefix to the hex-encoded hash to form the expected signature.
+6. Optionally extracts the actual signature from the header value using a regex (e.g. `v1=([^,]+)` for Stripe).
+7. Compares the result (constant-time, to prevent timing attacks) against the extracted or raw signature header value.
+8. Forwards the request to your backend unchanged when the signature is valid.
+9. Returns **401 Unauthorized** when the signature is missing, the timestamp cannot be resolved, or the signature is invalid.
 
 ## Create a route to receive GitHub webhooks
 
@@ -81,21 +84,104 @@ $ curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
   }'
 ```
 
+## Create a route to receive Stripe webhooks
+
+Stripe signs the payload as `{timestamp}.{body}` and sends the signature as `t=<timestamp>,v1=<sig>` in the `Stripe-Signature` header. Both the timestamp and the signature must be extracted from that header with a regex.
+
+```shell
+$ curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
+  -H "Content-type: application/json" \
+  -u 'admin-api-apikey-id:admin-api-apikey-secret' \
+  -d '{
+    "name": "stripe-webhook-receiver",
+    "frontend": {
+      "domains": ["webhooks.oto.tools/stripe"]
+    },
+    "backend": {
+      "targets": [{
+        "hostname": "my-backend.example.com",
+        "port": 443,
+        "tls": true
+      }]
+    },
+    "plugins": [
+      {
+        "enabled": true,
+        "plugin": "cp:otoroshi_plugins.com.cloud.apim.otoroshi.plugins.webhook.WebhookPayloadValidator",
+        "config": {
+          "secret": "whsec_your-stripe-webhook-secret",
+          "signature_header": "Stripe-Signature",
+          "algorithm": "HmacSHA256",
+          "prefix": "",
+          "signing_payload_template": "{timestamp}.{body}",
+          "timestamp_extraction_regex": "t=([^,]+)",
+          "signature_extraction_regex": "v1=([^,]+)"
+        }
+      }
+    ]
+  }'
+```
+
+## Create a route to receive Slack webhooks
+
+Slack signs the payload as `v0:{timestamp}:{body}` and sends the timestamp in a separate `X-Slack-Request-Timestamp` header. The signature header value is `v0=<sig>`.
+
+```shell
+$ curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
+  -H "Content-type: application/json" \
+  -u 'admin-api-apikey-id:admin-api-apikey-secret' \
+  -d '{
+    "name": "slack-webhook-receiver",
+    "frontend": {
+      "domains": ["webhooks.oto.tools/slack"]
+    },
+    "backend": {
+      "targets": [{
+        "hostname": "my-backend.example.com",
+        "port": 443,
+        "tls": true
+      }]
+    },
+    "plugins": [
+      {
+        "enabled": true,
+        "plugin": "cp:otoroshi_plugins.com.cloud.apim.otoroshi.plugins.webhook.WebhookPayloadValidator",
+        "config": {
+          "secret": "your-slack-signing-secret",
+          "signature_header": "X-Slack-Signature",
+          "algorithm": "HmacSHA256",
+          "prefix": "v0=",
+          "signing_payload_template": "v0:{timestamp}:{body}",
+          "timestamp_header": "X-Slack-Request-Timestamp"
+        }
+      }
+    ]
+  }'
+```
+
 ## Plugin configuration
 
-| Field              | Type     | Required | Default                  | Description                                                                         |
-|--------------------|----------|----------|--------------------------|-------------------------------------------------------------------------------------|
-| `secret`           | `string` | yes      | –                        | The HMAC secret shared with the webhook provider.      |
-| `signature_header` | `string` | no       | `X-Hub-Signature-256`    | Name of the HTTP header that carries the signature.                                 |
-| `algorithm`        | `string` | no       | `HmacSHA256`             | Java HMAC algorithm name. Supported values: `HmacSHA256`, `HmacSHA512`, `HmacSHA384`, `HmacSHA1`. |
-| `prefix`           | `string` | no       | derived from `algorithm` | String prepended to the hex hash before comparison (e.g. `sha256=`). Defaults are derived automatically from the chosen algorithm. |
+| Field                        | Type     | Required | Default                  | Description                                                                                                                          |
+|------------------------------|----------|----------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------|
+| `secret`                     | `string` | yes      | –                        | The HMAC secret shared with the webhook provider.                                                                                    |
+| `signature_header`           | `string` | no       | `X-Hub-Signature-256`    | Name of the HTTP header that carries the signature.                                                                                  |
+| `algorithm`                  | `string` | no       | `HmacSHA256`             | Java HMAC algorithm name. Supported values: `HmacSHA256`, `HmacSHA512`, `HmacSHA384`, `HmacSHA1`.                                   |
+| `prefix`                     | `string` | no       | derived from `algorithm` | String prepended to the hex hash before comparison (e.g. `sha256=`). Use `""` when the comparison value is raw hex (Stripe).         |
+| `signing_payload_template`   | `string` | no       | `{body}`                 | Template for the HMAC input. Supports `{body}` (raw body) and `{timestamp}`. Examples: `{timestamp}.{body}` (Stripe), `v0:{timestamp}:{body}` (Slack). |
+| `timestamp_header`           | `string` | no       | `""`                     | Name of a separate HTTP header containing the timestamp (e.g. `X-Slack-Request-Timestamp` for Slack).                               |
+| `timestamp_extraction_regex` | `string` | no       | `""`                     | Regex with one capture group to extract the timestamp from the **signature header** value (e.g. `t=([^,]+)` for Stripe).             |
+| `signature_extraction_regex` | `string` | no       | `""`                     | Regex with one capture group to extract the actual signature from the **signature header** value (e.g. `v1=([^,]+)` for Stripe). When empty the full header value is used. |
 
 ```json
 {
   "secret": "your-webhook-secret",
   "signature_header": "X-Hub-Signature-256",
   "algorithm": "HmacSHA256",
-  "prefix": "sha256="
+  "prefix": "sha256=",
+  "signing_payload_template": "{body}",
+  "timestamp_header": "",
+  "timestamp_extraction_regex": "",
+  "signature_extraction_regex": ""
 }
 ```
 
@@ -113,7 +199,8 @@ $ curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
 | Status | Body                                           | Meaning |
 |--------|------------------------------------------------|---------|
 | forwarded to backend | –                                              | Signature is valid, request is passed through unchanged. |
-| `401 Unauthorized` | `{ "error": "missing xxxx header" }`           | The header was not present in the incoming request. |
+| `401 Unauthorized` | `{ "error": "missing xxxx header" }`           | The signature header was not present in the incoming request. |
+| `401 Unauthorized` | `{ "error": "missing timestamp" }`             | The timestamp could not be resolved (missing header or regex did not match). |
 | `401 Unauthorized` | `{ "error": "invalid signature" }`             | The computed HMAC does not match the header value. |
 | `401 Unauthorized` | `{ "error": "webhook secret not configured" }` | The plugin `secret` field is empty. |
 
diff --git a/src/main/scala/com/cloud/apim/otoroshi/plugins/webhook/validator.scala b/src/main/scala/com/cloud/apim/otoroshi/plugins/webhook/validator.scala
@@ -18,10 +18,14 @@ import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success, Try}
 
 case class WebhookValidatorConfig(
-  secret: String          = "",
-  signatureHeader: String = "X-Hub-Signature-256",
-  algorithm: String       = "HmacSHA256",
-  prefix: String          = "sha256=",
+  secret: String                   = "",
+  signatureHeader: String          = "X-Hub-Signature-256",
+  algorithm: String                = "HmacSHA256",
+  prefix: String                   = "sha256=",
+  signingPayloadTemplate: String   = "{body}",
+  timestampHeader: String          = "",
+  timestampExtractionRegex: String = "",
+  signatureExtractionRegex: String = "",
 ) extends NgPluginConfig {
   def json: JsValue = WebhookValidatorConfig.format.writes(this)
 }
@@ -30,18 +34,26 @@ object WebhookValidatorConfig {
   val default: WebhookValidatorConfig = WebhookValidatorConfig()
   val format: Format[WebhookValidatorConfig] = new Format[WebhookValidatorConfig] {
     override def writes(o: WebhookValidatorConfig): JsValue = Json.obj(
-      "secret"           -> o.secret,
-      "signature_header" -> o.signatureHeader,
-      "algorithm"        -> o.algorithm,
-      "prefix"           -> o.prefix,
+      "secret"                    -> o.secret,
+      "signature_header"          -> o.signatureHeader,
+      "algorithm"                 -> o.algorithm,
+      "prefix"                    -> o.prefix,
+      "signing_payload_template"  -> o.signingPayloadTemplate,
+      "timestamp_header"          -> o.timestampHeader,
+      "timestamp_extraction_regex"-> o.timestampExtractionRegex,
+      "signature_extraction_regex"-> o.signatureExtractionRegex,
     )
     override def reads(json: JsValue): JsResult[WebhookValidatorConfig] = Try {
       val algo = json.select("algorithm").asOpt[String].getOrElse("HmacSHA256")
       WebhookValidatorConfig(
-        secret          = json.select("secret").asOpt[String].getOrElse(""),
-        signatureHeader = json.select("signature_header").asOpt[String].getOrElse("X-Hub-Signature-256"),
-        algorithm       = algo,
-        prefix          = json.select("prefix").asOpt[String].getOrElse(WebhookValidatorConfig.defaultPrefix(algo)),
+        secret                   = json.select("secret").asOpt[String].getOrElse(""),
+        signatureHeader          = json.select("signature_header").asOpt[String].getOrElse("X-Hub-Signature-256"),
+        algorithm                = algo,
+        prefix                   = json.select("prefix").asOpt[String].getOrElse(WebhookValidatorConfig.defaultPrefix(algo)),
+        signingPayloadTemplate   = json.select("signing_payload_template").asOpt[String].getOrElse("{body}"),
+        timestampHeader          = json.select("timestamp_header").asOpt[String].getOrElse(""),
+        timestampExtractionRegex = json.select("timestamp_extraction_regex").asOpt[String].getOrElse(""),
+        signatureExtractionRegex = json.select("signature_extraction_regex").asOpt[String].getOrElse(""),
       )
     } match {
       case Failure(e) => JsError(e.getMessage)
@@ -58,7 +70,11 @@ object WebhookValidatorConfig {
     case _                         => "sha256="
   }
 
-  val configFlow: Seq[String] = Seq("secret", "signature_header", "algorithm", "prefix")
+  val configFlow: Seq[String] = Seq(
+    "secret", "signature_header", "algorithm", "prefix",
+    "signing_payload_template", "timestamp_header",
+    "timestamp_extraction_regex", "signature_extraction_regex",
+  )
   val configSchema: Option[JsObject] = Some(Json.obj(
     "secret"           -> Json.obj("type" -> "password", "label" -> "Webhook Secret"),
     "signature_header" -> Json.obj("type" -> "string",   "label" -> "Signature Header"),
@@ -74,7 +90,11 @@ object WebhookValidatorConfig {
         ),
       ),
     ),
-    "prefix"           -> Json.obj("type" -> "string", "label" -> "Signature Prefix"),
+    "prefix"                     -> Json.obj("type" -> "string", "label" -> "Signature Prefix"),
+    "signing_payload_template"   -> Json.obj("type" -> "string", "label" -> "Signing Payload Template (use {body} and {timestamp})"),
+    "timestamp_header"           -> Json.obj("type" -> "string", "label" -> "Timestamp Header (e.g. X-Slack-Request-Timestamp)"),
+    "timestamp_extraction_regex" -> Json.obj("type" -> "string", "label" -> "Regex to extract timestamp from signature header (e.g. t=([^,]+))"),
+    "signature_extraction_regex" -> Json.obj("type" -> "string", "label" -> "Regex to extract signature from signature header (e.g. v1=([^,]+))"),
   ))
 }
 
@@ -88,7 +108,7 @@ class WebhookPayloadValidator extends NgRequestTransformer {
   override def multiInstance: Boolean                      = true
   override def core: Boolean                               = false
   override def name: String                                = "Cloud APIM - Webhook Payload Validator"
-  override def description: Option[String]                 = Some("This plugin validates webhook payloads by verifying an HMAC signature. The header name, algorithm and prefix are all configurable.")
+  override def description: Option[String]                 = Some("This plugin validates webhook payloads by verifying an HMAC signature. The header name, algorithm, prefix and signing payload template are all configurable.")
   override def defaultConfigObject: Option[NgPluginConfig] = Some(WebhookValidatorConfig.default)
   override def noJsForm: Boolean                           = false
   override def configFlow: Seq[String]                     = WebhookValidatorConfig.configFlow
@@ -112,6 +132,14 @@ class WebhookPayloadValidator extends NgRequestTransformer {
     mac.doFinal(body.toArray).map(b => f"${b & 0xff}%02x").mkString
   }
 
+  private def buildSigningPayload(template: String, bodyBytes: ByteString, timestamp: String): ByteString = {
+    if (template.isEmpty || template == "{body}") {
+      bodyBytes
+    } else {
+      ByteString(template.replace("{timestamp}", timestamp).replace("{body}", bodyBytes.utf8String), "UTF-8")
+    }
+  }
+
   override def transformRequest(ctx: NgTransformerRequestContext)(implicit env: Env, ec: ExecutionContext, mat: Materializer): Future[Either[Result, NgPluginHttpRequest]] = {
     val config = ctx.cachedConfig(internalName)(WebhookValidatorConfig.format).getOrElse(WebhookValidatorConfig.default)
     if (config.secret.isEmpty) {
@@ -122,26 +150,51 @@ class WebhookPayloadValidator extends NgRequestTransformer {
         case None =>
           if (logger.isDebugEnabled) logger.debug(s"[Webhook Validator] missing ${config.signatureHeader} header")
           Left(Results.Unauthorized(Json.obj("error" -> s"missing ${config.signatureHeader} header"))).vfuture
-        case Some(receivedSignature) =>
-          ctx.otoroshiRequest.body.runFold(ByteString.empty)(_ ++ _).map { bodyBytes =>
-            val computedHash      = computeHmac(config.algorithm, config.secret, bodyBytes)
-            val expectedSignature = s"${config.prefix}$computedHash"
-
-            if (logger.isDebugEnabled) {
-              logger.debug(s"[Webhook Validator] expected : $expectedSignature")
-              logger.debug(s"[Webhook Validator] received : $receivedSignature")
-            }
-            // Constant-time comparison to prevent timing-attack side channels
-            val expected = expectedSignature.getBytes("UTF-8")
-            val received = receivedSignature.getBytes("UTF-8")
-
-            if (MessageDigest.isEqual(expected, received)) {
-              // Re-emit the already-consumed body so downstream plugins / the backend still see it
-              Right(ctx.otoroshiRequest.copy(body = Source.single(bodyBytes)))
-            } else {
-              logger.warn(s"[Webhook Validator] invalid signature for header ${config.signatureHeader}")
-              Left(Results.Unauthorized(Json.obj("error" -> "invalid signature")))
-            }
+        case Some(rawSignatureHeader) =>
+          // Extract actual signature value from the header (e.g. Stripe: "t=...,v1=<sig>")
+          val receivedSignature: String =
+            if (config.signatureExtractionRegex.nonEmpty)
+              config.signatureExtractionRegex.r.findFirstMatchIn(rawSignatureHeader).map(_.group(1)).getOrElse(rawSignatureHeader)
+            else
+              rawSignatureHeader
+
+          // Resolve timestamp when the template needs it
+          val needsTimestamp = config.signingPayloadTemplate.contains("{timestamp}")
+          val timestampOpt: Option[String] =
+            if (!needsTimestamp) Some("")
+            else if (config.timestampHeader.nonEmpty)
+              ctx.request.headers.get(config.timestampHeader)
+            else if (config.timestampExtractionRegex.nonEmpty)
+              config.timestampExtractionRegex.r.findFirstMatchIn(rawSignatureHeader).map(_.group(1))
+            else Some("")
+
+          timestampOpt match {
+            case None =>
+              val source = if (config.timestampHeader.nonEmpty) s"header '${config.timestampHeader}'" else s"signature header via regex '${config.timestampExtractionRegex}'"
+              if (logger.isDebugEnabled) logger.debug(s"[Webhook Validator] missing timestamp from $source")
+              Left(Results.Unauthorized(Json.obj("error" -> s"missing timestamp"))).vfuture
+            case Some(timestamp) =>
+              ctx.otoroshiRequest.body.runFold(ByteString.empty)(_ ++ _).map { bodyBytes =>
+                val signingPayload    = buildSigningPayload(config.signingPayloadTemplate, bodyBytes, timestamp)
+                val computedHash      = computeHmac(config.algorithm, config.secret, signingPayload)
+                val expectedSignature = s"${config.prefix}$computedHash"
+
+                if (logger.isDebugEnabled) {
+                  logger.debug(s"[Webhook Validator] expected : $expectedSignature")
+                  logger.debug(s"[Webhook Validator] received : $receivedSignature")
+                }
+                // Constant-time comparison to prevent timing-attack side channels
+                val expected = expectedSignature.getBytes("UTF-8")
+                val received = receivedSignature.getBytes("UTF-8")
+
+                if (MessageDigest.isEqual(expected, received)) {
+                  // Re-emit the already-consumed body so downstream plugins / the backend still see it
+                  Right(ctx.otoroshiRequest.copy(body = Source.single(bodyBytes)))
+                } else {
+                  logger.warn(s"[Webhook Validator] invalid signature for header ${config.signatureHeader}")
+                  Left(Results.Unauthorized(Json.obj("error" -> "invalid signature")))
+                }
+              }
           }
       }
     }
