fix: P0 security and data integrity fixes for launch readiness

Digidai · claude · Digidai · commit bef89b45323b · 2026-04-04T22:30:58.000+08:00
- Fix CHECK constraint on emails.status to include delivered/bounced/complained/delivery_delayed
- Add Svix HMAC-SHA256 signature verification to Resend webhook endpoint
- Add 5 new tests for webhook signature validation (valid/invalid/missing/expired)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/test/unit/delivery-status.test.ts b/test/unit/delivery-status.test.ts
@@ -1,5 +1,18 @@
 import { describe, test, expect, mock, afterEach } from 'bun:test'
 
+/** Helper: generate a valid Svix signature for testing */
+async function signWebhook(secret: string, svixId: string, timestamp: string, body: string) {
+  const secretBytes = Uint8Array.from(atob(secret.replace(/^whsec_/, '')), c => c.charCodeAt(0))
+  const toSign = `${svixId}.${timestamp}.${body}`
+  const key = await crypto.subtle.importKey(
+    'raw', secretBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'],
+  )
+  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(toSign))
+  return `v1,${btoa(String.fromCharCode(...new Uint8Array(sig)))}`
+}
+
+const TEST_SECRET = 'whsec_' + btoa('test-secret-key-for-unit-tests!')
+
 describe('Delivery Status Handler', () => {
   afterEach(() => { mock.restore() })
 
@@ -65,4 +78,109 @@ describe('Delivery Status Handler', () => {
     const body = await res.json() as { ok: boolean }
     expect(body.ok).toBe(true)
   })
+
+  test('rejects webhook with invalid signature when secret is configured', async () => {
+    const { handleResendWebhook } = await import('../../worker/src/handlers/delivery-status')
+
+    const bodyStr = JSON.stringify({ type: 'email.sent', created_at: '2026-04-04', data: { email_id: 'abc' } })
+    const request = new Request('http://localhost/api/resend-webhook', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'svix-id': 'msg_test123',
+        'svix-timestamp': String(Math.floor(Date.now() / 1000)),
+        'svix-signature': 'v1,invalidsignature',
+      },
+      body: bodyStr,
+    })
+    const env = { RESEND_WEBHOOK_SECRET: TEST_SECRET, DB: {} } as any
+    const ctx = { waitUntil: () => {} } as any
+
+    const res = await handleResendWebhook(request, env, ctx)
+    expect(res.status).toBe(401)
+  })
+
+  test('rejects webhook with missing signature headers when secret is configured', async () => {
+    const { handleResendWebhook } = await import('../../worker/src/handlers/delivery-status')
+
+    const request = new Request('http://localhost/api/resend-webhook', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ type: 'email.sent', created_at: '2026-04-04', data: { email_id: 'abc' } }),
+    })
+    const env = { RESEND_WEBHOOK_SECRET: TEST_SECRET, DB: {} } as any
+    const ctx = { waitUntil: () => {} } as any
+
+    const res = await handleResendWebhook(request, env, ctx)
+    expect(res.status).toBe(401)
+  })
+
+  test('rejects webhook with expired timestamp', async () => {
+    const { handleResendWebhook } = await import('../../worker/src/handlers/delivery-status')
+
+    const bodyStr = JSON.stringify({ type: 'email.sent', created_at: '2026-04-04', data: { email_id: 'abc' } })
+    const expiredTs = String(Math.floor(Date.now() / 1000) - 600) // 10 min ago
+    const sig = await signWebhook(TEST_SECRET, 'msg_test123', expiredTs, bodyStr)
+
+    const request = new Request('http://localhost/api/resend-webhook', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'svix-id': 'msg_test123',
+        'svix-timestamp': expiredTs,
+        'svix-signature': sig,
+      },
+      body: bodyStr,
+    })
+    const env = { RESEND_WEBHOOK_SECRET: TEST_SECRET, DB: {} } as any
+    const ctx = { waitUntil: () => {} } as any
+
+    const res = await handleResendWebhook(request, env, ctx)
+    expect(res.status).toBe(401)
+  })
+
+  test('accepts webhook with valid signature', async () => {
+    const { handleResendWebhook } = await import('../../worker/src/handlers/delivery-status')
+
+    const bodyStr = JSON.stringify({ type: 'email.unknown_event', created_at: '2026-04-04', data: { email_id: 'abc' } })
+    const ts = String(Math.floor(Date.now() / 1000))
+    const svixId = 'msg_valid123'
+    const sig = await signWebhook(TEST_SECRET, svixId, ts, bodyStr)
+
+    const request = new Request('http://localhost/api/resend-webhook', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'svix-id': svixId,
+        'svix-timestamp': ts,
+        'svix-signature': sig,
+      },
+      body: bodyStr,
+    })
+    const env = {
+      RESEND_WEBHOOK_SECRET: TEST_SECRET,
+      DB: { prepare: () => ({ bind: () => ({ first: async () => null, run: async () => ({}) }) }) },
+    } as any
+    const ctx = { waitUntil: () => {} } as any
+
+    const res = await handleResendWebhook(request, env, ctx)
+    // Unknown event type → acknowledged with 200
+    expect(res.status).toBe(200)
+  })
+
+  test('skips signature check when RESEND_WEBHOOK_SECRET is not set', async () => {
+    const { handleResendWebhook } = await import('../../worker/src/handlers/delivery-status')
+
+    const request = new Request('http://localhost/api/resend-webhook', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ type: 'email.unknown', created_at: '2026-04-04', data: { email_id: 'abc' } }),
+    })
+    // No RESEND_WEBHOOK_SECRET in env
+    const env = { DB: { prepare: () => ({ bind: () => ({ first: async () => null, run: async () => ({}) }) }) } } as any
+    const ctx = { waitUntil: () => {} } as any
+
+    const res = await handleResendWebhook(request, env, ctx)
+    expect(res.status).toBe(200)
+  })
 })
diff --git a/worker/schema.sql b/worker/schema.sql
@@ -20,7 +20,7 @@ CREATE TABLE IF NOT EXISTS emails (
   attachment_search_text TEXT DEFAULT '',
   raw_storage_key TEXT,
   direction TEXT NOT NULL CHECK (direction IN ('inbound', 'outbound')),
-  status TEXT DEFAULT 'received' CHECK (status IN ('received', 'sent', 'failed', 'queued')),
+  status TEXT DEFAULT 'received' CHECK (status IN ('received', 'sent', 'failed', 'queued', 'delivered', 'bounced', 'complained', 'delivery_delayed')),
   received_at TEXT NOT NULL,
   created_at TEXT NOT NULL
 );
diff --git a/worker/src/handlers/delivery-status.ts b/worker/src/handlers/delivery-status.ts
@@ -2,6 +2,45 @@ import type { Env } from '../types'
 import { recordEvent } from './events'
 import { fireWebhookWithRetry } from './webhook'
 
+/**
+ * Verify Resend webhook signature (Svix).
+ * Resend signs webhooks with svix-id, svix-timestamp, svix-signature headers.
+ * See: https://resend.com/docs/dashboard/webhooks/introduction
+ */
+async function verifyResendSignature(
+  request: Request,
+  rawBody: string,
+  secret: string,
+): Promise<boolean> {
+  const svixId = request.headers.get('svix-id')
+  const svixTimestamp = request.headers.get('svix-timestamp')
+  const svixSignature = request.headers.get('svix-signature')
+
+  if (!svixId || !svixTimestamp || !svixSignature) return false
+
+  // Reject timestamps older than 5 minutes
+  const ts = parseInt(svixTimestamp, 10)
+  const now = Math.floor(Date.now() / 1000)
+  if (Math.abs(now - ts) > 300) return false
+
+  // Svix secret is base64-encoded after "whsec_" prefix
+  const secretBytes = Uint8Array.from(atob(secret.replace(/^whsec_/, '')), c => c.charCodeAt(0))
+
+  const toSign = `${svixId}.${svixTimestamp}.${rawBody}`
+  const key = await crypto.subtle.importKey(
+    'raw', secretBytes, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign'],
+  )
+  const sig = await crypto.subtle.sign('HMAC', key, new TextEncoder().encode(toSign))
+  const expected = btoa(String.fromCharCode(...new Uint8Array(sig)))
+
+  // svix-signature may contain multiple signatures separated by spaces (v1,xxx v1,yyy)
+  const signatures = svixSignature.split(' ')
+  return signatures.some(s => {
+    const val = s.split(',')[1]
+    return val === expected
+  })
+}
+
 /**
  * Resend webhook callback handler.
  * POST /api/resend-webhook — receives delivery status updates from Resend.
@@ -10,12 +49,23 @@ import { fireWebhookWithRetry } from './webhook'
  * email.complained, email.delivery_delayed
  *
  * Updates the email status in D1 and fires user webhooks + SSE events.
+ * Signature verified via RESEND_WEBHOOK_SECRET (Svix HMAC-SHA256).
  */
 export async function handleResendWebhook(
   request: Request,
   env: Env,
   ctx: ExecutionContext,
 ): Promise<Response> {
+  const rawBody = await request.text()
+
+  // Verify webhook signature if secret is configured
+  if (env.RESEND_WEBHOOK_SECRET) {
+    const valid = await verifyResendSignature(request, rawBody, env.RESEND_WEBHOOK_SECRET)
+    if (!valid) {
+      return Response.json({ error: 'Invalid webhook signature' }, { status: 401 })
+    }
+  }
+
   let body: {
     type: string
     created_at: string
@@ -29,7 +79,7 @@ export async function handleResendWebhook(
   }
 
   try {
-    body = await request.json()
+    body = JSON.parse(rawBody)
   } catch {
     return Response.json({ error: 'Invalid JSON' }, { status: 400 })
   }
