[TASK-220 / 25.07.04] Refactor: 시그니처 인증 과정 추가

.env.sample

@@ -22,4 +22,5 @@ POSTGRES_HOST=localhost
 POSTGRES_PORT=5432
 
 # ETC
-SLACK_WEBHOOK_URL=https://hooks.slack.com/services
+SLACK_WEBHOOK_URL=https://hooks.slack.com/services
+SLACK_SENTRY_SIGNATURE=374708bedd34ae70f814471ff24db7dedc4b9bee06a7e8ef9255a4f6c8bd9049 # 실제 키를 사용하세요

src/controllers/__test__/webhook.controller.test.ts

@@ -2,9 +2,11 @@ import 'reflect-metadata';
 import { Request, Response } from 'express';
 import { WebhookController } from '@/controllers/webhook.controller';
 import { sendSlackMessage } from '@/modules/slack/slack.notifier';
+import { verifySignature } from '@/utils/verify.util';
 
 // Mock dependencies
 jest.mock('@/modules/slack/slack.notifier');
+jest.mock('@/utils/verify.util');
 
 // logger 모킹
 jest.mock('@/configs/logger.config', () => ({
@@ -18,6 +20,7 @@ describe('WebhookController', () => {
   let mockResponse: Partial<Response>;
   let nextFunction: jest.Mock;
   let mockSendSlackMessage: jest.MockedFunction<typeof sendSlackMessage>;
+  let mockVerifySignature: jest.MockedFunction<typeof verifySignature>;
 
   beforeEach(() => {
     // WebhookController 인스턴스 생성
@@ -36,6 +39,10 @@ describe('WebhookController', () => {
 
     nextFunction = jest.fn();
     mockSendSlackMessage = sendSlackMessage as jest.MockedFunction<typeof sendSlackMessage>;
+    mockVerifySignature = verifySignature as jest.MockedFunction<typeof verifySignature>;
+
+    // 기본적으로 시그니처 검증이 성공하도록 설정
+    mockVerifySignature.mockReturnValue(true);
   });
 
   afterEach(() => {
@@ -308,4 +315,108 @@ describe('WebhookController', () => {
       expect(mockSendSlackMessage).toHaveBeenCalledWith(expectedMessage);
     });
   });
+
+  describe('Signature Verification', () => {
+    const mockSentryData = {
+      action: 'created',
+      data: {
+        issue: {
+          id: 'test-issue-123',
+          title: '시그니처 테스트 오류',
+          culprit: 'TestFile.js:10',
+          status: 'unresolved',
+          count: "1",
+          userCount: 1,
+          firstSeen: '2024-01-01T12:00:00.000Z',
+          permalink: 'https://velog-dashboardv2.sentry.io/issues/test-issue-123/',
+          project: {
+            id: 'project-123',
+            name: 'Velog Dashboard',
+            slug: 'velog-dashboard'
+          }
+        }
+      }
+    };
+
+    it('유효한 시그니처로 웹훅 처리에 성공해야 한다', async () => {
+      mockRequest.body = mockSentryData;
+      mockRequest.headers = {
+        'sentry-hook-signature': 'valid-signature'
+      };
+      mockVerifySignature.mockReturnValue(true);
+      mockSendSlackMessage.mockResolvedValue();
+
+      await webhookController.handleSentryWebhook(
+        mockRequest as Request,
+        mockResponse as Response,
+        nextFunction
+      );
+
+      expect(mockVerifySignature).toHaveBeenCalledWith(mockRequest);
+      expect(mockSendSlackMessage).toHaveBeenCalled();
+      expect(mockResponse.status).toHaveBeenCalledWith(200);
+    });
+
+    it('잘못된 시그니처로 400 에러를 반환해야 한다', async () => {
+      mockRequest.body = mockSentryData;
+      mockRequest.headers = {
+        'sentry-hook-signature': 'invalid-signature'
+      };
+      mockVerifySignature.mockReturnValue(false);
+
+      await webhookController.handleSentryWebhook(
+        mockRequest as Request,
+        mockResponse as Response,
+        nextFunction
+      );
+
+      expect(mockVerifySignature).toHaveBeenCalledWith(mockRequest);
+      expect(mockSendSlackMessage).not.toHaveBeenCalled();
+      expect(mockResponse.status).toHaveBeenCalledWith(400);
+      expect(mockResponse.json).toHaveBeenCalledWith({
+        success: true,
+        message: 'Sentry 웹훅 처리에 실패했습니다',
+        data: {},
+        error: null
+      });
+    });
+
+    it('시그니처 헤더가 누락된 경우 400 에러를 반환해야 한다', async () => {
+      mockRequest.body = mockSentryData;
+      mockRequest.headers = {}; // 시그니처 헤더 누락
+      mockVerifySignature.mockReturnValue(false);
+
+      await webhookController.handleSentryWebhook(
+        mockRequest as Request,
+        mockResponse as Response,
+        nextFunction
+      );
+
+      expect(mockVerifySignature).toHaveBeenCalledWith(mockRequest);
+      expect(mockSendSlackMessage).not.toHaveBeenCalled();
+      expect(mockResponse.status).toHaveBeenCalledWith(400);
+    });
+
+    it('시그니처 검증 중 예외 발생 시 에러를 전달해야 한다', async () => {
+      mockRequest.body = mockSentryData;
+      mockRequest.headers = {
+        'sentry-hook-signature': 'some-signature'
+      };
+      const verificationError = new Error('SENTRY_CLIENT_SECRET is not defined');
+      mockVerifySignature.mockImplementation(() => {
+        throw verificationError;
+      });
+
+      await webhookController.handleSentryWebhook(
+        mockRequest as Request,
+        mockResponse as Response,
+        nextFunction
+      );
+
+      expect(mockVerifySignature).toHaveBeenCalledWith(mockRequest);
+      expect(nextFunction).toHaveBeenCalledWith(verificationError);
+      expect(mockSendSlackMessage).not.toHaveBeenCalled();
+      expect(mockResponse.json).not.toHaveBeenCalled();
+    });
+  });
 }); 

src/controllers/webhook.controller.ts

@@ -2,6 +2,7 @@ import { NextFunction, Request, RequestHandler, Response } from 'express';
 import { EmptyResponseDto, SentryWebhookData } from '@/types';
 import logger from '@/configs/logger.config';
 import { sendSlackMessage } from '@/modules/slack/slack.notifier';
+import { verifySignature } from '@/utils/verify.util';
 
 export class WebhookController {
   private readonly STATUS_EMOJI = {
@@ -16,8 +17,8 @@ export class WebhookController {
     next: NextFunction,
   ): Promise<void> => {
     try {
-
-      if (req.body?.action !== "created") { 
+      // 시그니처 검증 과정 추가
+      if (req.body?.action !== "created" || !verifySignature(req)) { 
         const response = new EmptyResponseDto(true, 'Sentry 웹훅 처리에 실패했습니다', {}, null);
         res.status(400).json(response);
         return;

src/utils/verify.util.ts

@@ -0,0 +1,32 @@
+import crypto from "crypto"
+import dotenv from "dotenv";
+import { Request } from "express";
+
+dotenv.config();
+
+/**
+ * Sentry 웹훅 요청의 시그니처 헤더를 검증합니다.
+ * 
+ * HMAC SHA256과 Sentry의 Client Secret를 사용하여 요청 본문을 해시화하고, 
+ * 
+ * Sentry에서 제공하는 시그니처 헤더와 비교하여 요청의 무결성을 확인합니다.
+ * 
+ * @param {Request} request - Express 요청 객체
+ * @returns {boolean} 헤더가 유효하면 true, 그렇지 않으면 false
+ * 
+ * @example
+ * ```typescript
+ * const isValid = verifySignature(req, process.env.SENTRY_WEBHOOK_SECRET);
+ * if (!isValid) {
+ *   return res.status(401).json({ error: 'Invalid signature' });
+ * }
+ * ```
+ */
+export function verifySignature(request: Request) {
+  if(!process.env.SENTRY_CLIENT_SECRET) throw new Error("SENTRY_CLIENT_SECRET is not defined");
+  const hmac = crypto.createHmac("sha256", process.env.SENTRY_CLIENT_SECRET);
+  hmac.update(JSON.stringify(request.body), "utf8");
+  const digest = hmac.digest("hex");
+
+  return digest === request.headers["sentry-hook-signature"];
+}