fix(webhook): return 401 when signature header is missing

[mixelburg]

Fixes #4275

When the signature header is absent, webhooks.verify() receives undefined and throws, causing a 500. Now we check for the header early and return 401 with a clear message.

Greptile Summary

Adds an early !signature guard to return 401 when the x-hub-signature-256 header is absent, fixing the 500 thrown by webhooks.verify(body, undefined). Also removes the as string type cast at the verify call site.

Confidence Score: 5/5

Safe to merge; the core fix is correct and the remaining note is minor.

The 401 early-return for a missing signature is clearly correct and consistent with the existing 401 for a bad signature. The only concern (handling string[] header values) is pre-existing behaviour that was previously hidden by the as string cast, and GitHub realistically never sends multiple signature headers.

No files require special attention.

_{Reviews (1): Last reviewed commit: "[autofix.ci] apply automated fixes" | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[greptile-apps]

string[] case unhandled after removing the cast

After the if (!signature) guard, TypeScript narrows signature to string | string[] — a non-empty array is truthy and passes the check. webhooks.verify expects a string, so if a request arrives with multiple x-hub-signature-256 headers (or TypeScript strict mode is enabled) this could cause a compilation error or a runtime failure. The previous as string cast silently suppressed this, but removing it without handling the array case may break the build.

Consider extracting a definite string value:

Suggested change

	const signature = req.headers["x-hub-signature-256"];
	if (!signature) {
	res.status(401).json({ message: "Missing signature header" });
	return;
	}
	const rawSig = req.headers["x-hub-signature-256"];
	const signature = Array.isArray(rawSig) ? rawSig[0] : rawSig;
	if (!signature) {
	res.status(401).json({ message: "Missing signature header" });
	return;
	}