Update token comparison (#243)

rmcdaniel · web-flow · commit cb9ea8e15aeb · 2025-06-26T16:06:52.000-05:00
diff --git a/src/Auth/SignatureAuthenticator.php b/src/Auth/SignatureAuthenticator.php
@@ -11,8 +11,8 @@ class SignatureAuthenticator implements WebhookAuthenticator
     public function validate(Request $request): Request
     {
         if (! hash_equals(
-            $request->header(config('workflows.webhook_auth.signature.header')) ?? '',
-            hash_hmac('sha256', $request->getContent(), config('workflows.webhook_auth.signature.secret'))
+            (string) $request->header(config('workflows.webhook_auth.signature.header')),
+            (string) hash_hmac('sha256', $request->getContent(), config('workflows.webhook_auth.signature.secret'))
         )) {
             abort(401, 'Unauthorized');
         }
diff --git a/src/Auth/TokenAuthenticator.php b/src/Auth/TokenAuthenticator.php
@@ -10,8 +10,9 @@ class TokenAuthenticator implements WebhookAuthenticator
 {
     public function validate(Request $request): Request
     {
-        if ($request->header(config('workflows.webhook_auth.token.header')) !== config(
-            'workflows.webhook_auth.token.token'
+        if (! hash_equals(
+            (string) config('workflows.webhook_auth.token.token'),
+            (string) $request->header(config('workflows.webhook_auth.token.header'))
         )) {
             abort(401, 'Unauthorized');
         }

Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,8 @@ class SignatureAuthenticator implements WebhookAuthenticator`
`11`	`11`	`public function validate(Request $request): Request`
`12`	`12`	`{`
`13`	`13`	`if (! hash_equals(`
`14`		`- $request->header(config('workflows.webhook_auth.signature.header')) ?? '',`
`15`		`- hash_hmac('sha256', $request->getContent(), config('workflows.webhook_auth.signature.secret'))`
	`14`	`+ (string) $request->header(config('workflows.webhook_auth.signature.header')),`
	`15`	`+ (string) hash_hmac('sha256', $request->getContent(), config('workflows.webhook_auth.signature.secret'))`
`16`	`16`	`)) {`
`17`	`17`	`abort(401, 'Unauthorized');`
`18`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,9 @@ class TokenAuthenticator implements WebhookAuthenticator`
`10`	`10`	`{`
`11`	`11`	`public function validate(Request $request): Request`
`12`	`12`	`{`
`13`		`- if ($request->header(config('workflows.webhook_auth.token.header')) !== config(`
`14`		`- 'workflows.webhook_auth.token.token'`
	`13`	`+ if (! hash_equals(`
	`14`	`+ (string) config('workflows.webhook_auth.token.token'),`
	`15`	`+ (string) $request->header(config('workflows.webhook_auth.token.header'))`
`15`	`16`	`)) {`
`16`	`17`	`abort(401, 'Unauthorized');`
`17`	`18`	`}`