yuukiii/hermes-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(webhook): preserve raw body for Meta webhook HMAC validation

Browse Source 
The global express.json() middleware at line 77 was parsing the body
into a JS object before the route-level express.raw() could capture
the raw Buffer. When WHATSAPP_APP_SECRET is set and a signature is
present, crypto.createHmac().update(req.body) received an Object
instead of Buffer, throwing TypeError and crashing the process.

Fix: register app.use('/webhook/whatsapp', express.raw({ type: '*/*' }))
before app.use(express.json()) so the raw body is preserved for HMAC.

Post-deploy verification: all 7 webhook tests pass, pod 0 restarts.

Related: SquareMCP/2026-06-10-twilio-whatsapp-webhook-deployment.md
This commit is contained in:
Garfield
2026-06-10 22:37:00 -04:00
parent e5152eef12
commit f74f90a2f0
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/index.ts
View File

@@ -74,6 +74,8 @@ app.use(cors({
allowedHeaders: ['Content-Type', 'mcp-session-id', 'Accept', 'x-api-key', 'Authorization'],
credentials: true,
}));
// Preserve raw body for Meta webhook HMAC validation (must run before express.json)
app.use('/webhook/whatsapp', express.raw({ type: '*/*' }));
app.use(express.json({ limit: '100kb' }));
app.use(express.urlencoded({ extended: true, limit: '100kb' }));