pr-reviewer/src/webhook/verify-signature.ts

import crypto from "node:crypto";

export function verifySignature(input: {
  secret: string;
  body: string;
  signatureHeader?: string | null;
}): boolean {
  const { secret, body, signatureHeader } = input;
  if (!signatureHeader) {
    return false;
  }

  const expected = crypto
    .createHmac("sha256", secret)
    .update(body, "utf8")
    .digest("hex");

  const provided = signatureHeader.startsWith("sha256=")
    ? signatureHeader.slice("sha256=".length)
    : signatureHeader;

  const expectedBuf = Buffer.from(expected);
  const providedBuf = Buffer.from(provided);

  if (expectedBuf.length !== providedBuf.length) {
    return false;
  }

  return crypto.timingSafeEqual(expectedBuf, providedBuf);
}