CAST/cast-ghl-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cast-ghl-plugin/internal/ghl
History
Head of Product & Engineering ffb27acc11
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
fix: use Ed25519 for webhook signature verification (x-wh-signature) 
GHL signs x-wh-signature webhooks with an Ed25519 key from the
Marketplace app settings, not RSA. The previous RSA implementation
caused all webhook signature checks to fail, blocking every outbound
SMS send.

Changes:
- Replace parseRSAPublicKey + RSA verification with parseEd25519PublicKey
  + ed25519.Verify for x-wh-signature
- Both x-wh-signature (current) and X-GHL-Signature (July 2026) now
  use the same Ed25519 key from GHL_WEBHOOK_PUBLIC_KEY
- Remove unused crypto/rsa, crypto/sha256, crypto imports
- Update webhook_test.go to generate/sign with Ed25519 instead of RSA

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-06 08:47:56 +02:00
..
api.go
fix: resolve all golangci-lint v2 failures
2026-04-05 21:52:36 +02:00
oauth_test.go
fix: suppress remaining errcheck failures in test and oauth code
2026-04-05 22:37:52 +02:00
oauth.go
fix: guard against empty locationId in OAuth callback and log token fields
2026-04-06 01:15:27 +02:00
types.go
fix: add uninstall handler, idempotency guard, and OAuth error handling
2026-04-04 17:52:09 +02:00
webhook_test.go
fix: use Ed25519 for webhook signature verification (x-wh-signature)
2026-04-06 08:47:56 +02:00
webhook.go
fix: use Ed25519 for webhook signature verification (x-wh-signature)
2026-04-06 08:47:56 +02:00