Add Svix, Linear, PagerDuty and Twilio webhook platform support and verification

README.md

@@ -189,6 +189,10 @@ app.post('/webhooks/stripe', createWebhookHandler({
 | **Grafana** | HMAC-SHA256 | ✅ Tested |
 | **Doppler** | HMAC-SHA256 | ✅ Tested |
 | **Sanity** | HMAC-SHA256 | ✅ Tested |
+| **Svix** | HMAC-SHA256 | ⚠️ Untested for now |
+| **Linear** | HMAC-SHA256 | ⚠️ Untested for now |
+| **PagerDuty** | HMAC-SHA256 | ⚠️ Untested for now |
+| **Twilio** | HMAC-SHA1 | ⚠️ Untested for now |
 | **Razorpay** | HMAC-SHA256 | 🔄 Pending |
 | **Vercel** | HMAC-SHA256 | 🔄 Pending |
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hookflo/tern",
-  "version": "4.3.0",
+  "version": "4.3.1-beta",
   "description": "A robust, scalable webhook verification framework supporting multiple platforms and signature algorithms",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

src/index.ts

@@ -246,6 +246,10 @@ export class WebhookVerificationService {
       case 'workos':
       case 'sentry':
       case 'vercel':
+      case 'linear':
+      case 'pagerduty':
+      case 'twilio':
+      case 'svix':
         return this.pickString(payload?.id) || null;
       case 'doppler':
         return this.pickString(payload?.event?.id, metadata?.id) || null;
@@ -287,7 +291,10 @@ export class WebhookVerificationService {
 
     if (headers.has('stripe-signature')) return 'stripe';
     if (headers.has('x-hub-signature-256')) return 'github';
-    if (headers.has('svix-signature')) return 'clerk';
+    if (headers.has('svix-signature')) return headers.has('svix-id') ? 'svix' : 'clerk';
+    if (headers.has('linear-signature')) return 'linear';
+    if (headers.has('x-pagerduty-signature')) return 'pagerduty';
+    if (headers.has('x-twilio-signature')) return 'twilio';
     if (headers.has('workos-signature')) return 'workos';
     if (headers.has('webhook-signature')) {
       const userAgent = headers.get('user-agent')?.toLowerCase() || '';

src/platforms/algorithms.ts

@@ -56,6 +56,28 @@ export const platformAlgorithmConfigs: Record<
     description: "Clerk webhooks use HMAC-SHA256 with base64 encoding",
   },
 
+  svix: {
+    platform: 'svix',
+    signatureConfig: {
+      algorithm: 'hmac-sha256',
+      headerName: 'svix-signature',
+      headerFormat: 'raw',
+      timestampHeader: 'svix-timestamp',
+      timestampFormat: 'unix',
+      payloadFormat: 'custom',
+      customConfig: {
+        signatureFormat: 'v1={signature}',
+        payloadFormat: '{id}.{timestamp}.{body}',
+        encoding: 'base64',
+        secretEncoding: 'base64',
+        idHeader: 'svix-id',
+        idHeaderAliases: ['webhook-id'],
+        timestampHeaderAliases: ['webhook-timestamp'],
+      },
+    },
+    description: 'Svix webhooks use HMAC-SHA256 with Standard Webhooks format',
+  },
+
   dodopayments: {
     platform: "dodopayments",
     signatureConfig: {
@@ -322,6 +344,53 @@ export const platformAlgorithmConfigs: Record<
       "Sanity webhooks use Stripe-compatible HMAC-SHA256 with base64 encoded signature and plain UTF-8 secret",
   },
 
+  linear: {
+    platform: 'linear',
+    signatureConfig: {
+      algorithm: 'hmac-sha256',
+      headerName: 'linear-signature',
+      headerFormat: 'raw',
+      payloadFormat: 'raw',
+      customConfig: {
+        replayToleranceMs: 60_000,
+      },
+    },
+    description: 'Linear webhooks use HMAC-SHA256 on the raw body with a 60s timestamp replay window',
+  },
+
+  pagerduty: {
+    platform: 'pagerduty',
+    signatureConfig: {
+      algorithm: 'hmac-sha256',
+      headerName: 'x-pagerduty-signature',
+      headerFormat: 'raw',
+      payloadFormat: 'raw',
+      prefix: 'v1=',
+      customConfig: {
+        signatureFormat: 'v1={signature}',
+        comparePrefixed: true,
+      },
+    },
+    description: 'PagerDuty webhooks use HMAC-SHA256 with v1=<hex> signatures',
+  },
+
+  twilio: {
+    platform: 'twilio',
+    signatureConfig: {
+      algorithm: 'hmac-sha1',
+      headerName: 'x-twilio-signature',
+      headerFormat: 'raw',
+      payloadFormat: 'custom',
+      customConfig: {
+        payloadFormat: '{url}',
+        encoding: 'base64',
+        secretEncoding: 'utf8',
+        validateBodySHA256: true,
+      },
+    },
+    description: 'Twilio webhooks use HMAC-SHA1 with base64 signatures (URL canonicalization required)',
+  },
+
   custom: {
     platform: "custom",
     signatureConfig: {

src/test.ts

@@ -114,6 +114,32 @@ function createSanitySignature(body: string, secret: string, timestamp: number):
   return `t=${timestamp},v1=${hmac.digest('base64')}`;
 }
 
+function createPagerDutySignature(body: string, secret: string): string {
+  const hmac = createHmac('sha256', secret);
+  hmac.update(body);
+  return `v1=${hmac.digest('hex')}`;
+}
+
+function createLinearSignature(body: string, secret: string): string {
+  const hmac = createHmac('sha256', secret);
+  hmac.update(body);
+  return hmac.digest('hex');
+}
+
+function createSvixSignature(body: string, secret: string, id: string, timestamp: number): string {
+  const signedContent = `${id}.${timestamp}.${body}`;
+  const secretBytes = new Uint8Array(Buffer.from(secret.split('whsec_')[1], 'base64'));
+  const hmac = createHmac('sha256', secretBytes);
+  hmac.update(signedContent);
+  return `v1,${hmac.digest('base64')}`;
+}
+
+function createTwilioSignature(url: string, authToken: string): string {
+  const hmac = createHmac('sha1', authToken);
+  hmac.update(url);
+  return hmac.digest('base64');
+}
+
 function createFalPayloadToSign(body: string, requestId: string, userId: string, timestamp: string): string {
   const bodyHash = createHash('sha256').update(body).digest('hex');
   return `${requestId}\n${userId}\n${timestamp}\n${bodyHash}`;
@@ -992,6 +1018,105 @@ async function runTests() {
     console.log('   ❌ Hono invalid signature test failed:', error);
   }
 
+  // Test 26: PagerDuty platform verification
+  console.log('\n26. Testing PagerDuty platform verification...');
+  try {
+    const payload = JSON.stringify({ messages: [{ event: 'incident.triggered' }] });
+    const signature = createPagerDutySignature(payload, testSecret);
+    const request = createMockRequest({
+      'x-pagerduty-signature': `${signature},v1=deadbeef`,
+      'content-type': 'application/json',
+    }, payload);
+
+    const result = await WebhookVerificationService.verifyWithPlatformConfig(
+      request,
+      'pagerduty',
+      testSecret,
+    );
+
+    console.log('   ✅ PagerDuty:', trackCheck('pagerduty platform verifier', result.isValid, result.error) ? 'PASSED' : 'FAILED');
+  } catch (error) {
+    console.log('   ❌ PagerDuty platform verifier test failed:', error);
+  }
+
+  // Test 27: Linear platform verification with replay protection
+  console.log('\n27. Testing Linear platform verification...');
+  try {
+    const payload = JSON.stringify({
+      action: 'Issue',
+      webhookTimestamp: Date.now(),
+    });
+    const signature = createLinearSignature(payload, testSecret);
+    const request = createMockRequest({
+      'linear-signature': signature,
+      'content-type': 'application/json',
+    }, payload);
+
+    const result = await WebhookVerificationService.verifyWithPlatformConfig(
+      request,
+      'linear',
+      testSecret,
+    );
+
+    console.log('   ✅ Linear:', trackCheck('linear platform verifier', result.isValid, result.error) ? 'PASSED' : 'FAILED');
+  } catch (error) {
+    console.log('   ❌ Linear platform verifier test failed:', error);
+  }
+
+  // Test 28: Svix platform verification with replay protection
+  console.log('\n28. Testing Svix platform verification...');
+  try {
+    const id = 'msg_2LJC7S5QfRZk9k9bM2QxWjv1l3U';
+    const timestamp = Math.floor(Date.now() / 1000);
+    const payload = JSON.stringify({ type: 'invoice.paid' });
+    const svixSecret = `whsec_${Buffer.from(testSecret).toString('base64')}`;
+    const signature = createSvixSignature(payload, svixSecret, id, timestamp);
+
+    const request = createMockRequest({
+      'svix-id': id,
+      'svix-timestamp': String(timestamp),
+      'svix-signature': `${signature} v1,invalid`,
+      'content-type': 'application/json',
+    }, payload);
+
+    const result = await WebhookVerificationService.verifyWithPlatformConfig(
+      request,
+      'svix',
+      svixSecret,
+    );
+
+    console.log('   ✅ Svix:', trackCheck('svix platform verifier', result.isValid, result.error) ? 'PASSED' : 'FAILED');
+  } catch (error) {
+    console.log('   ❌ Svix platform verifier test failed:', error);
+  }
+
+  // Test 29: Twilio platform verification (JSON + bodySHA256)
+  console.log('\n29. Testing Twilio platform verification...');
+  try {
+    const payload = JSON.stringify({ callSid: 'CA123', status: 'completed' });
+    const bodySha256 = createHash('sha256').update(payload).digest('hex');
+    const url = `https://example.com/twilio/webhook?bodySHA256=${bodySha256}`;
+    const signature = createTwilioSignature(url, testSecret);
+    const request = new Request(url, {
+      method: 'POST',
+      headers: {
+        'x-twilio-signature': signature,
+        'content-type': 'application/json',
+      },
+      body: payload,
+    });
+
+    const result = await WebhookVerificationService.verifyWithPlatformConfig(
+      request,
+      'twilio',
+      testSecret,
+    );
+
+    console.log('   ✅ Twilio:', trackCheck('twilio platform verifier', result.isValid, result.error) ? 'PASSED' : 'FAILED');
+  } catch (error) {
+    console.log('   ❌ Twilio platform verifier test failed:', error);
+  }
+
   if (failedChecks.length > 0) {
     throw new Error(`Test checks failed: ${failedChecks.join(', ')}`);
   }

src/types.ts

@@ -1,6 +1,7 @@
 export type WebhookPlatform =
   | 'custom'
   | 'clerk'
+  | 'svix'
   | 'github'
   | 'stripe'
   | 'shopify'
@@ -19,12 +20,16 @@ export type WebhookPlatform =
   | 'grafana'
   | 'doppler'
   | 'sanity'
+  | 'linear'
+  | 'pagerduty'
+  | 'twilio'
   | 'unknown';
 
 export enum WebhookPlatformKeys {
   GitHub = 'github',
   Stripe = 'stripe',
   Clerk = 'clerk',
+  Svix = 'svix',
   DodoPayments = 'dodopayments',
   Shopify = 'shopify',
   Vercel = 'vercel',
@@ -41,6 +46,9 @@ export enum WebhookPlatformKeys {
   Grafana = 'grafana',
   Doppler = 'doppler',
   Sanity = 'sanity',
+  Linear = 'linear',
+  PagerDuty = 'pagerduty',
+  Twilio = 'twilio',
   Custom = 'custom',
   Unknown = 'unknown'
 }