Add webhook secret rotation support (WEBHOOK_SECRET_OLD)

manascb1344 · manascb1344 · commit d1dc77059b49 · 2026-04-25T00:32:42.000+05:30
Falls back to WEBHOOK_SECRET_OLD when primary secret fails
verification, enabling zero-downtime secret rotation.
diff --git a/app.py b/app.py
@@ -376,12 +376,20 @@ async def verify_signature(request: Request, body: bytes) -> str | None:
         )
         raise HTTPException(status_code=400, detail="Missing delivery ID")
 
-    hash_object = hmac.new(webhook_secret.encode(), msg=body, digestmod=hashlib.sha256)
-    expected_signature = "sha256=" + hash_object.hexdigest()
+    def _check_secret(secret: str) -> bool:
+        computed = hmac.new(secret.encode(), msg=body, digestmod=hashlib.sha256)
+        return hmac.compare_digest("sha256=" + computed.hexdigest(), signature)
 
-    if not hmac.compare_digest(expected_signature, signature):
-        logger.error("Invalid signature", extra={"error_code": "invalid_signature"})
-        raise HTTPException(status_code=403, detail="Invalid signature")
+    if not _check_secret(webhook_secret):
+        old_secret = os.environ.get("WEBHOOK_SECRET_OLD")
+        if old_secret and _check_secret(old_secret):
+            logger.info(
+                "Signature verified with old webhook secret (rotation in progress)",
+                extra={"delivery_id": delivery_id},
+            )
+        else:
+            logger.error("Invalid signature", extra={"error_code": "invalid_signature"})
+            raise HTTPException(status_code=403, detail="Invalid signature")
 
     return delivery_id
 
