Update resource route webhook example to use timingSafeEqual

brophdawg11 · brophdawg11 · commit 4e6aef9c4b8b · 2025-12-08T10:01:34.000-05:00
diff --git a/data/docs/guides/resource-routes.md b/data/docs/guides/resource-routes.md
@@ -153,7 +153,8 @@ export const action = async ({
     .createHmac("sha256", process.env.GITHUB_WEBHOOK_SECRET)
     .update(JSON.stringify(payload))
     .digest("hex")}`;
-  if (signature !== generatedSignature) {
+
+  if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(generatedSignature))) {
     return json({ message: "Signature mismatch" }, 401);
   }
 

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,8 @@ export const action = async ({`
`153`	`153`	`.createHmac("sha256", process.env.GITHUB_WEBHOOK_SECRET)`
`154`	`154`	`.update(JSON.stringify(payload))`
`155`	`155`	.digest("hex")}`;
`156`		`- if (signature !== generatedSignature) {`
	`156`	`+`
	`157`	`+ if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(generatedSignature))) {`
`157`	`158`	`return json({ message: "Signature mismatch" }, 401);`
`158`	`159`	`}`
`159`	`160`