You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(queue): verify QStash webhooks before dispatch
Implements Upstash signature verification in Go (HS256 JWT, current +
next signing keys for rotation, exp/nbf/body/sub checks). The
dashboard's Node `Receiver.verify()` from `@upstash/qstash` was the
reference — we mirror the same claim set and header layout so both
services accept the same signed deliveries.
Wires the verifier into `POST /internal/jobs/{kind}`: reads the raw
body, verifies `Upstash-Signature` against the configured keys and the
canonical webhook URL, then dispatches through the existing
`QStash.Dispatch` handler registry. Accepts both full `Job` envelopes
(what the engine's own Enqueue emits) and bare payloads (what the
dashboard's `publishJSON` emits).
Config now surfaces `current_signing_key` / `next_signing_key` under
`queue.qstash`, with env-var overrides that accept both VLE_-prefixed
and bare names (QSTASH_CURRENT_SIGNING_KEY etc.) so ops can share env
with the dashboard.
Unit tests cover happy path, next-key rotation, wrong key, tampered
body, expired exp, wrong sub, malformed JWT, and URL-check-skipped.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
0 commit comments