fixes

Author: maticzav

examples/webhooks.py

@@ -17,43 +17,48 @@
 def mock_webhook_event() -> Tuple[Dict[str, Any], str, str]:
     """Mock a webhook event."""
 
-    timestamp = datetime.fromisoformat("2023-01-01T00:00:00")
+    timestamp = datetime.fromisoformat("2023-01-01T00:00:00").isoformat()
+
     payload = WebhookAgentTaskStatusUpdatePayload(
         session_id="sess_123",
         task_id="task_123",
         status="started",
         metadata={"progress": 25},
     )
+
     signature = create_webhook_signature(
-        payload=payload.model_dump(), timestamp="2023-01-01T00:00:00", secret="your-webhook-secret-key"
+        payload=payload.model_dump(),
+        timestamp=timestamp,
+        secret=SECRET,
     )
 
     evt: Webhook = WebhookAgentTaskStatusUpdate(
         type="agent.task.status_update",
-        timestamp=timestamp,
+        timestamp=datetime.fromisoformat("2023-01-01T00:00:00"),
         payload=payload,
     )
 
-    return evt.model_dump(), signature, timestamp.isoformat()
+    return evt.model_dump(), signature, timestamp
 
 
 def main() -> None:
     """Demonstrate webhook functionality."""
 
     # NOTE: You'd get the evt and signature from the webhook request body and headers!
     evt, signature, timestamp = mock_webhook_event()
+
     verified_webhook = verify_webhook_event_signature(
         body=evt,
         signature=signature,
         timestamp=timestamp,
         secret=SECRET,
     )
 
-    if verified_webhook is not None:
+    if verified_webhook is None:
+        print("✗ Webhook signature verification failed")
+    else:
         print("✓ Webhook signature verified successfully")
         print(f"  Event type: {verified_webhook.type}")
-    else:
-        print("✗ Webhook signature verification failed")
 
 
 if __name__ == "__main__":

src/browser_use_sdk/lib/webhooks.py

@@ -65,13 +65,15 @@ def create_webhook_signature(payload: Any, timestamp: str, secret: str) -> str:
     Returns:
         The HMAC-SHA256 signature as a hex string
     """
-    # Sort keys and use compact JSON format (equivalent to fast-json-stable-stringify)
+
     dump = json.dumps(payload, separators=(",", ":"), sort_keys=True)
     message = f"{timestamp}.{dump}"
 
     # Create HMAC-SHA256 signature
     hmac_obj = hmac.new(secret.encode(), message.encode(), hashlib.sha256)
-    return hmac_obj.hexdigest()
+    signature = hmac_obj.hexdigest()
+
+    return signature
 
 
 def verify_webhook_event_signature(
@@ -94,20 +96,20 @@ def verify_webhook_event_signature(
         None if the signature is invalid, otherwise the parsed webhook event.
     """
     try:
-        # Parse body if it's a string
         if isinstance(body, str):
             json_data = json.loads(body)
         else:
             json_data = body
 
-        # Try to parse as each webhook type
+        # PARSE
+
         webhook_event: Optional[Webhook] = None
 
-        # Try test webhook first
-        try:
-            webhook_event = WebhookTest(**json_data)
-        except Exception:
-            pass
+        if webhook_event is None:
+            try:
+                webhook_event = WebhookTest(**json_data)
+            except Exception:
+                pass
 
         # Try agent task status update webhook
         if webhook_event is None:
@@ -119,10 +121,12 @@ def verify_webhook_event_signature(
         if webhook_event is None:
             return None
 
-        # Create expected signature
-        expected_signature = create_webhook_signature(payload=webhook_event.payload, timestamp=timestamp, secret=secret)
+        # Verify
+
+        expected_signature = create_webhook_signature(
+            payload=webhook_event.payload.model_dump(), timestamp=timestamp, secret=secret
+        )
 
-        # Compare signatures using timing-safe comparison
         if not hmac.compare_digest(signature, expected_signature):
             return None