Skip to content

Fix webhook signature verification to use original body #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Spirou7 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix webhook signature verification to use original body #58

Spirou7 wants to merge 1 commit into from

Conversation

@Spirou7
Copy link

@Spirou7 Spirou7 commented Nov 29, 2025
edited by cubic-dev-ai bot
Loading

Summary

  • Fixed verifyWebhookEventSignature to compute signature using the original parsed JSON body instead of the Zod-validated output

Problem

The verifyWebhookEventSignature function was using event.data (the Zod-validated output) instead of json (the original parsed body) when computing the signature for verification. This caused signature verification failures because:

  1. Browser Use Cloud signs the raw JSON body when sending webhooks
  2. The SDK was signing the Zod-transformed output, which may differ from the original (e.g., due to type coercion, field stripping, or normalization)

Solution

Changed line 84 in src/wrapper/lib/webhooks.ts from:

body: event.data, // NOTE: We need to encrypt the entire body, not just the payload

To:

body: json, // Sign the original parsed body, not the Zod-transformed output

Test plan

  • Existing webhook tests pass
  • Manual testing confirms webhook signature verification now works correctly

🤖 Generated with Claude Code

Summary by cubic

Fixed webhook signature verification to use the original JSON body instead of the Zod-validated output. This matches Browser Use Cloud’s signing behavior and prevents verification failures.

Written for commit 113644f. Summary will update automatically on new commits.

@Spirou7 @claude
Fix webhook signature verification to use original body
113644f 
The verifyWebhookEventSignature function was using event.data (the
Zod-validated output) instead of json (the original parsed body) when
computing the signature. This caused verification failures because
Browser Use Cloud signs the raw body, but the SDK was signing the
potentially transformed Zod output.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 29, 2025
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Spirou7