fix: updating the webhook signature verification to use constant time check

##  (#484)

* fix: updating the webhook signature verification to use constant time check (#20617)

## Reason

Improve the security of webhook verification by using a constant-time
comparison function to prevent timing attacks.

## Overview

This PR updates the `verifyAndParseWebhook` function to use Node's
`timingSafeEqual` method instead of a simple string comparison when
verifying webhook signatures. The implementation now:

1. Computes the expected HMAC digest as a byte array
2. Converts the provided hexadecimal signature to bytes using the
imported `hexToBytes` function
3. Compares the two byte arrays using the timing-safe comparison
function

## Test Plan

Tested the updated webhook verification with both valid and invalid
signatures to ensure it correctly accepts legitimate webhooks and
rejects those with invalid signatures.

GitOrigin-RevId: 24d850239cf56a8f69b6de30158b8031c5e9b47f

* chore:adding changeset

* indicate slow payout status to bridge users (#20607)

## Reason
closes PX-863
Display "slow delivery" status to bridge users

## changes

* add RECEIVE_IBAN_SLOW account status
* display specific strings in uma card
* refactor the ReceiveIbanFailedModal to also show slow payout

![Screenshot 2025-09-21 at 3.23.07 PM.png](https://app.graphite.dev/user-attachments/assets/58191d25-f3e3-4aae-a377-4a0cc51f49b2.png)

![Screenshot 2025-09-21 at 3.23.24 PM.png](https://app.graphite.dev/user-attachments/assets/6df9b620-228e-44a5-ad43-515ce27db38b.png)

GitOrigin-RevId: fa02843c3e6e8363a93586028ce1b22c12dcb89e

* Improve JS webhook request validation and test coverage (#20624)

This PR improves our JS validation of webhook requests and adds tests
for it.

GitOrigin-RevId: 41ade8e18cb680c8f5d6e94bcd669bb596f289dd

* chore:adding changeset

---------

Co-authored-by: Peng Ying <[email protected]>
Co-authored-by: Matt Davis <[email protected]>
Co-authored-by: Alex Weil <[email protected]>

Author: 4 people

.changeset/full-glasses-guess.md

@@ -0,0 +1,5 @@
+---
+"@lightsparkdev/lightspark-sdk": patch
+---
+
+Changing webhook signature verification to use a constant time comparison

.changeset/itchy-trees-spend.md

@@ -0,0 +1,5 @@
+---
+"@lightsparkdev/ui": patch
+---
+
+indicate slow payout status to bridge users

packages/lightspark-sdk/src/tests/webhooks.test.ts

@@ -1,26 +1,60 @@
+import { expect } from "@jest/globals";
 import WebhookEventType from "../objects/WebhookEventType.js";
 import { verifyAndParseWebhook } from "../webhooks.js";
 
 describe("Webhooks", () => {
   test("should verify and parse webhook data", async () => {
-    const eventType = WebhookEventType.NODE_STATUS;
-    const eventId = "1615c8be5aa44e429eba700db2ed8ca5";
-    const entityId = "lightning_node:01882c25-157a-f96b-0000-362d42b64397";
-    const timeStamp = new Date("2023-05-17T23:56:47.874449+00:00");
     const data = `{"event_type": "NODE_STATUS", "event_id": "1615c8be5aa44e429eba700db2ed8ca5", "timestamp": "2023-05-17T23:56:47.874449+00:00", "entity_id": "lightning_node:01882c25-157a-f96b-0000-362d42b64397"}`;
-    const hexdigest =
+    const hexDigest =
       "62a8829aeb48b4142533520b1f7f86cdb1ee7d718bf3ea15bc1c662d4c453b74";
     const webhookSecret = "3gZ5oQQUASYmqQNuEk0KambNMVkOADDItIJjzUlAWjX";
 
     const webhook = await verifyAndParseWebhook(
-      Buffer.from(data, "utf-8"),
-      hexdigest,
+      Buffer.from(data),
+      hexDigest,
       webhookSecret,
     );
 
-    expect(webhook.entity_id).toBe(entityId);
-    expect(webhook.event_id).toBe(eventId);
-    expect(webhook.event_type).toBe(eventType);
-    expect(webhook.timestamp).toEqual(timeStamp);
+    expect(webhook.entity_id).toBe(
+      "lightning_node:01882c25-157a-f96b-0000-362d42b64397",
+    );
+    expect(webhook.event_id).toBe("1615c8be5aa44e429eba700db2ed8ca5");
+    expect(webhook.event_type).toBe(WebhookEventType.NODE_STATUS);
+    expect(webhook.timestamp).toEqual(
+      new Date("2023-05-17T23:56:47.874449+00:00"),
+    );
+  });
+
+  test.each([
+    ["wrong length", "deadbeef"],
+    ["is incorrect", "a".repeat(64)],
+    ["is not hex", "NotAHexValue"],
+    [
+      "has extra bytes",
+      "62a8829aeb48b4142533520b1f7f86cdb1ee7d718bf3ea15bc1c662d4c453b74" + "qq",
+    ],
+  ])("should error when hex digest %s", async (name, digest) => {
+    const data = `{"event_type": "NODE_STATUS", "event_id": "1615c8be5aa44e429eba700db2ed8ca5", "timestamp": "2023-05-17T23:56:47.874449+00:00", "entity_id": "lightning_node:01882c25-157a-f96b-0000-362d42b64397"}`;
+    const webhookSecret = "3gZ5oQQUASYmqQNuEk0KambNMVkOADDItIJjzUlAWjX";
+
+    expect.assertions(1);
+    await expect(
+      verifyAndParseWebhook(Buffer.from(data), digest, webhookSecret),
+    ).rejects.toThrow("Webhook message hash does not match signature");
+  });
+
+  test("should throw on invalid signature", async () => {
+    const data = `{"event_type": "NODE_STATUS", "event_id": "1615c8be5aa44e429eba700db2ed8ca5", "timestamp": "2023-05-17T23:56:47.874449+00:00", "entity_id": "lightning_node:01882c25-157a-f96b-0000-362d42b64397"}`;
+    const invalidHex =
+      "62a8829aeb48b4142533520b1f7f86cdb1ee7d718bf3ea15bc1c662d4c453b70";
+    const webhookSecret = "3gZ5oQQUASYmqQNuEk0KambNMVkOADDItIJjzUlAWjX";
+
+    await expect(
+      verifyAndParseWebhook(
+        new TextEncoder().encode(data),
+        invalidHex,
+        webhookSecret,
+      ),
+    ).rejects.toThrow("Webhook message hash does not match signature");
   });
 });

packages/lightspark-sdk/src/webhooks.ts

@@ -14,14 +14,24 @@ export interface WebhookEvent {
 
 export const verifyAndParseWebhook = async (
   data: Uint8Array,
-  hexdigest: string,
-  webhook_secret: string,
+  hexDigest: string,
+  webhookSecret: string,
 ): Promise<WebhookEvent> => {
   /* dynamic import to avoid bundling crypto in browser */
-  const { createHmac } = await import("crypto");
-  const sig = createHmac("sha256", webhook_secret).update(data).digest("hex");
-
-  if (sig.toLowerCase() !== hexdigest.toLowerCase()) {
+  const { createHmac, timingSafeEqual } = await import("crypto");
+  const sig = new Uint8Array(
+    createHmac("sha256", webhookSecret).update(data).digest(),
+  );
+
+  const digestBytes = new Uint8Array(Buffer.from(hexDigest, "hex"));
+  if (
+    // Ensure there are no extra chars, since Buffer.from silently drops them.
+    // Each byte is represented by two hex characters.
+    digestBytes.length !== hexDigest.length / 2 ||
+    // timingSafeEqual checks this, but throws a different error.
+    sig.length !== digestBytes.length ||
+    !timingSafeEqual(sig, digestBytes)
+  ) {
     throw new Error("Webhook message hash does not match signature");
   }
 

packages/ui/src/icons/central/Turtle.tsx

@@ -0,0 +1,36 @@
+// Copyright  ©, 2023, Lightspark Group, Inc. - All Rights Reserved
+
+import { type PathProps } from "../types.js";
+
+export function Turtle({
+  strokeWidth = "2",
+  strokeLinecap = "round",
+  strokeLinejoin = "round",
+}: PathProps) {
+  return (
+    <svg
+      width="14"
+      height="14"
+      viewBox="0 0 14 14"
+      fill="none"
+      xmlns="http://www.w3.org/2000/svg"
+    >
+      <path
+        d="M8.1671 2.48013C9.15709 2.48013 10.0039 2.6611 10.7072 3.01903L10.5312 3.37108L11.053 3.63198L11.2079 3.32209C11.5465 3.56151 11.8444 3.85059 12.1 4.19082C12.8677 5.21246 13.2146 6.62677 13.2644 8.31346H13.4171C13.6587 8.31346 13.8546 8.50934 13.8546 8.75096C13.8546 8.99259 13.6587 9.18846 13.4171 9.18846H2.91709C2.67546 9.18846 2.47959 8.99259 2.47959 8.75096C2.47959 8.50934 2.67546 8.31346 2.91709 8.31346H3.06976C3.08347 7.84939 3.11966 7.40593 3.18093 6.9856C3.20097 6.84808 3.22369 6.71304 3.24919 6.58056C3.42902 5.64624 3.74678 4.8394 4.23414 4.19082C4.35651 4.02798 4.48851 3.87679 4.63 3.73716C4.78402 3.58516 4.9493 3.44685 5.12566 3.32209L5.28119 3.63198L6.52989 6.12824L5.43728 8.31346H6.08954L7.03632 6.42104H9.30015L10.2469 8.31346H10.8992L9.80374 6.12425L11.0513 3.63198L10.5295 3.37108L9.29844 5.83201H7.03404L5.803 3.37108L5.62641 3.01903C6.32976 2.66095 7.17689 2.48013 8.1671 2.48013Z"
+        fill="#F9F9F9"
+      />
+      <path
+        d="M2.08378 2.04297H1.69009C1.07446 2.04297 0.52086 2.41779 0.292236 2.98939C0.160003 3.32 0.14923 3.68678 0.26183 4.02458L0.311807 4.17451C0.526179 4.81763 1.19907 4.95949 2.04224 4.95964C2.40358 4.95964 2.9784 5.49737 3.06604 5.84793C3.10803 6.0155 3.23826 6.38242 3.18093 6.9856C3.20097 6.84808 3.22369 6.71304 3.24919 6.58056C3.42902 5.64624 3.74678 4.8394 4.23414 4.19082C4.35651 4.02798 4.48851 3.87679 4.63 3.73716C3.50057 2.33464 3.10211 2.04297 2.08378 2.04297Z"
+        fill="#F9F9F9"
+      />
+      <path
+        d="M7 8.75V9.1123C7 9.64098 6.87705 10.1629 6.64062 10.6357L6.47852 10.9609C6.24953 11.4188 5.87599 11.7889 5.41602 12.0137L5.22168 12.1084C5.03046 12.2018 4.82023 12.25 4.60742 12.25H4.22559C3.66405 12.25 3.20822 11.7949 3.20801 11.2334C3.20801 10.7958 3.4883 10.4071 3.90332 10.2686L4.08301 10.208C4.60555 10.0338 4.95801 9.54495 4.95801 8.99414V8.75H7Z"
+        fill="#F9F9F9"
+      />
+      <path
+        d="M9.91699 8.75V9.1123C9.91699 9.641 10.0399 10.1629 10.2764 10.6357L10.4385 10.9609C10.6675 11.4188 11.041 11.7889 11.501 12.0137L11.6953 12.1084C11.8865 12.2017 12.0969 12.25 12.3096 12.25H12.6914C13.2529 12.25 13.7078 11.7949 13.708 11.2334C13.708 10.7957 13.428 10.407 13.0127 10.2686L12.833 10.208C12.3107 10.0337 11.958 9.54481 11.958 8.99414V8.75H9.91699Z"
+        fill="#F9F9F9"
+      />
+    </svg>
+  );
+}

packages/ui/src/icons/central/index.tsx

@@ -131,6 +131,7 @@ export { TradingViewCandles as CentralTradingViewCandles } from "./TradingViewCa
 export { TrashCan as CentralTrashCan } from "./TrashCan.js";
 export { TriangleExclamation as CentralTriangleExclamation } from "./TriangleExclamation.js";
 export { TriangleExclamationFilled as CentralTriangleExclamationFilled } from "./TriangleExclamationFilled.js";
+export { Turtle as CentralTurtle } from "./Turtle.js";
 export { Vignette as CentralVignette } from "./Vignette.js";
 export { WeakStrengthIcon as CentralWeakStrengthIcon } from "./WeakStrength.js";
 export { Wrench as CentralWrench } from "./Wrench.js";