refactor: 시그니처 인증 과정 추가

six-standard · six-standard · commit 60c416c37721 · 2025-07-04T11:45:19.000+09:00
diff --git a/.env.sample b/.env.sample
@@ -22,4 +22,5 @@ POSTGRES_HOST=localhost
 POSTGRES_PORT=5432
 
 # ETC
-SLACK_WEBHOOK_URL=https://hooks.slack.com/services
+SLACK_WEBHOOK_URL=https://hooks.slack.com/services
+SLACK_SENTRY_SIGNATURE=374708bedd34ae70f814471ff24db7dedc4b9bee06a7e8ef9255a4f6c8bd9049 # 실제 키를 사용하세요
diff --git a/src/controllers/webhook.controller.ts b/src/controllers/webhook.controller.ts
@@ -2,6 +2,7 @@ import { NextFunction, Request, RequestHandler, Response } from 'express';
 import { EmptyResponseDto, SentryWebhookData } from '@/types';
 import logger from '@/configs/logger.config';
 import { sendSlackMessage } from '@/modules/slack/slack.notifier';
+import { verifySignature } from '@/utils/verify.util';
 
 export class WebhookController {
   private readonly STATUS_EMOJI = {
@@ -16,8 +17,8 @@ export class WebhookController {
     next: NextFunction,
   ): Promise<void> => {
     try {
-      
-      if (req.body?.action !== "created") { 
+      // 시그니처 검증 과정 추가
+      if (req.body?.action !== "created" || !verifySignature(req)) { 
         const response = new EmptyResponseDto(true, 'Sentry 웹훅 처리에 실패했습니다', {}, null);
         res.status(400).json(response);
         return;
diff --git a/src/utils/verify.util.ts b/src/utils/verify.util.ts
@@ -0,0 +1,32 @@
+import crypto from "crypto"
+import dotenv from "dotenv";
+import { Request } from "express";
+
+dotenv.config();
+
+/**
+ * Sentry 웹훅 요청의 시그니처 헤더를 검증합니다.
+ * 
+ * HMAC SHA256과 Sentry의 Client Secret를 사용하여 요청 본문을 해시화하고, 
+ * 
+ * Sentry에서 제공하는 시그니처 헤더와 비교하여 요청의 무결성을 확인합니다.
+ * 
+ * @param {Request} request - Express 요청 객체
+ * @returns {boolean} 헤더가 유효하면 true, 그렇지 않으면 false
+ * 
+ * @example
+ * ```typescript
+ * const isValid = verifySignature(req, process.env.SENTRY_WEBHOOK_SECRET);
+ * if (!isValid) {
+ *   return res.status(401).json({ error: 'Invalid signature' });
+ * }
+ * ```
+ */
+export function verifySignature(request: Request) {
+  if(!process.env.SENTRY_CLIENT_SECRET) throw new Error("SENTRY_CLIENT_SECRET is not defined");
+  const hmac = crypto.createHmac("sha256", process.env.SENTRY_CLIENT_SECRET);
+  hmac.update(JSON.stringify(request.body), "utf8");
+  const digest = hmac.digest("hex");
+
+  return digest === request.headers["sentry-hook-signature"];
+}
