Skip to content

CAMEL-23762: camel-whatsapp - support X-Hub-Signature-256 verification of inbound webhook payloads#24034

Open
oscerd wants to merge 1 commit into
apache:mainfrom
oscerd:fix/CAMEL-23762-whatsapp-signature
Open

CAMEL-23762: camel-whatsapp - support X-Hub-Signature-256 verification of inbound webhook payloads#24034
oscerd wants to merge 1 commit into
apache:mainfrom
oscerd:fix/CAMEL-23762-whatsapp-signature

Conversation

@oscerd

@oscerd oscerd commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Description

The camel-whatsapp webhook consumer forwards inbound event callbacks to the route without verifying their authenticity. WhatsApp/Meta signs event payloads with an X-Hub-Signature-256 header (HMAC-SHA256 of the raw request body keyed by the app secret).

This adds a webhookSecret endpoint option:

  • When set, inbound event callbacks whose X-Hub-Signature-256 signature is missing or does not match are rejected with HTTP 403, using a constant-time comparison.
  • When not set, behaviour is unchanged (no signature verification).

This mirrors the signature verification already provided by camel-clickup.

Testing

Adds WhatsAppWebhookSignatureTest covering valid, invalid, missing, tampered-payload and wrong-secret cases.

Claude Code on behalf of Andrea Cosentino.

🤖 Generated with Claude Code

@oscerd @claude
CAMEL-23762: camel-whatsapp - support X-Hub-Signature-256 verificatio…
6df47f9 
…n of inbound webhook payloads

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@oscerd oscerd requested review from Croway and davsclaus June 15, 2026 15:37
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

  • First-time contributors require MANUAL approval for the GitHub Actions to run
  • You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
  • You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
  • Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

🧪 CI tested the following changed modules:

  • catalog/camel-catalog
  • components/camel-whatsapp
  • dsl/camel-endpointdsl
All tested modules (10 modules)
  • Camel :: Catalog :: Camel Catalog
  • Camel :: Endpoint DSL
  • Camel :: JBang :: MCP
  • Camel :: JBang :: Plugin :: Route Parser
  • Camel :: JBang :: Plugin :: TUI
  • Camel :: JBang :: Plugin :: Validate
  • Camel :: Launcher :: Container
  • Camel :: Whatsapp
  • Camel :: YAML DSL :: Validator
  • Camel :: YAML DSL :: Validator Maven Plugin

⚙️ View full build and test results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Croway Croway Croway approved these changes

@davsclaus davsclaus Awaiting requested review from davsclaus

Assignees

No one assigned

Labels

catalog components dsl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oscerd @Croway