feat(webhooks): verifyAndParse* API for compressed payloads (CHA-3071)#169
Merged
nijeesh-stream merged 13 commits intoMay 13, 2026
Merged
Conversation
Adds Client::decompressWebhookBody and Client::verifyAndDecodeWebhook so handlers can accept the new outbound webhook compression (GetStream/chat#13222) without changing how X-Signature is verified. decompressWebhookBody runs gzdecode when the Content-Encoding header is gzip, returns the body unchanged when the header is null or empty, and throws StreamException for any other value with a message that points the operator at the app's webhook_compression_algorithm setting. verifyAndDecodeWebhook chains decompression with the existing HMAC check and returns the raw JSON when the signature matches. The signature is always computed over the uncompressed bytes, matching the server. verifyWebhook switches to hash_equals so the comparison is constant-time. Tests cover gzip round-trip, null/empty/whitespace passthrough, case- insensitive Content-Encoding, invalid gzip bytes, every non-gzip encoding being rejected with a clear message, signature mismatch, and the regression case where the signature was computed over the compressed bytes. Co-authored-by: Cursor <cursoragent@cursor.com>
Extends `decompressWebhookBody` and `verifyAndDecodeWebhook` with an optional `$payloadEncoding` argument. When set to "base64" (the wrapper Stream applies for SQS / SNS firehose so the message stays valid UTF-8 over the queue), the body is base64-decoded before gzip decompression. The HMAC signature continues to be computed over the innermost (uncompressed, base64-decoded) JSON, so the verification rule is invariant across HTTP webhooks and SQS / SNS. `null` / `""` for payloadEncoding is a no-op, so the HTTP webhook path is byte-identical to before this change. Default value of `null` preserves backward compatibility with the previous 3-argument call. Co-authored-by: Cursor <cursoragent@cursor.com>
Replaces verifyAndDecodeWebhook / decompressWebhookBody with the cross-SDK contract documented at https://getstream.io/chat/docs/node/webhooks_overview/. Helpers on Client: Static primitives: Client::ungzipPayload - gzip magic-byte detection + inflate Client::decodeSqsPayload - base64 then ungzip-if-magic Client::decodeSnsPayload - alias for decodeSqsPayload Client::verifySignature - constant-time HMAC-SHA256 comparison (parameter order matches the cross-SDK spec: body, signature, secret) Client::parseEvent - JSON -> array (typed event lands later) Instance composite (return parsed event array): \$client->verifyAndParseWebhook(\$body, \$signature) \$client->verifyAndParseSqs(\$messageBody, \$signature) \$client->verifyAndParseSns(\$message, \$signature) The composite functions auto-detect compression from body bytes, so the same handler stays correct whether or not Stream is currently compressing payloads, and behind middleware that auto-decompresses. The legacy \$client->verifyWebhook(\$body, \$signature) bool helper is kept for backward compatibility (now delegates to verifySignature). Co-authored-by: Cursor <cursoragent@cursor.com>
nijeesh-stream
changed the title
RFC 1952 defines the gzip magic number as the two-byte sequence 1F 8B; the third byte (CM) is informational and not part of the identifier. Trim the magic check from three bytes to two to match the spec and stay consistent with the reference implementations in the public docs. Co-authored-by: Cursor <cursoragent@cursor.com>
Mirrors the Ruby StreamChat::Webhook module / Java App.* / .NET WebhookHelpers shape: `Webhook::verifyAndParseWebhook($body, $signature, $secret)` (and the SQS / SNS variants) are now available as static methods with an explicit `secret` argument, alongside the primitives ungzipPayload, decodeSqsPayload, decodeSnsPayload, verifySignature, parseEvent. `Client::verifyAndParseWebhook` (and the SQS / SNS variants) still work as 2-arg instance methods that pull the secret from the configured client; they now delegate to the new static helpers so the two surfaces stay in lockstep. Tests cover the new static class, the parity between the two surfaces, and the existing regression cases. Co-authored-by: Cursor <cursoragent@cursor.com>
Replace the references to phantom helpers (verifyAndDecodeWebhook, decompressWebhookBody, $contentEncoding / $payloadEncoding arguments) with the API actually exposed on the Client and Webhook classes: verifyAndParseWebhook, verifyAndParseSqs, verifyAndParseSns and the underlying ungzipPayload / verifySignature / parseEvent primitives. Co-authored-by: Cursor <cursoragent@cursor.com>
…CHA-3071) The cross-SDK contract puts the static helpers on the Webhook class (`Webhook::verifyAndParseWebhook(body, signature, secret)`); other SDKs in the org follow the same shape. Move the actual implementations of ungzipPayload, decodeSqsPayload, decodeSnsPayload, verifySignature, parseEvent, and the verifyAndParse* composites onto Webhook, and reduce the Client static counterparts to one-line delegators kept for backward compatibility. Behaviour is unchanged; the existing test suite (covering both Client::* and Webhook::*) still passes. Co-authored-by: Cursor <cursoragent@cursor.com>
mogita
reviewed
May 11, 2026
Contributor
mogita
left a comment
mogita
left a comment
There was a problem hiding this comment.
Cross-SDK review pass for CHA-3071. Two inline comments — see below.
decodeSnsPayload now JSON-parses the SNS HTTP notification envelope
({"Type":"Notification","Message":"..."}) and extracts the inner
Message field before running the SQS pipeline. Falls through to the
pre-extracted Message string when the input is not a JSON envelope so
existing call sites keep working.
Test adds a realistic SNS HTTP notification body fixture and exercises
both the new envelope path and the existing pre-extracted Message path.
Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
|
Cross-SDK coordination: unifying webhook exception types After the review pass across all 6 SDKs in this rollout and team discussion, we're consolidating the new webhook exception strategy to a single unified exception class rather than the split (signature vs parse exceptions) being introduced in this PR. The Webhook Handling Spec on Notion (CHA-2961) has been revised to reflect this — §5.2 / §5.3 / §7 now specify a single class. Why unified: From a customer's perspective, all failure modes — signature mismatch, gzip decompression failure, base64 decode failure, SNS envelope failure, JSON parse failure, missing schema field — terminate at the same Class name family: Per-SDK naming across the rollout:
Asks for this PR:
This same comment is being posted on all 6 SDK PRs (JS / Go / Ruby / PHP / Java / .NET) for coordination. Happy to discuss naming or scope tradeoffs. |
…n fixtures (CHA-3071) Per Tommaso's suggestion, align the gzip helper with the GNU `gunzip` command name. The function was added in this PR and not yet released, so this is a straight rename with no back-compat alias. Adds Tommaso's reference fixtures to the test suite as named cases so future SDKs can sanity-check against the same payloads: aGVsbG93b3JsZA== -> helloworld (base64) H4sIAGrYAWoAA8tIzcnJL88vykkBAK0g6/kKAAAA -> helloworld (base64+gzip) Co-authored-by: Cursor <cursoragent@cursor.com>
…n (CHA-3071) Per cross-SDK coordination (mogita's review on all 6 sibling SDK PRs), every webhook failure path now terminates at a single exception class. Customers only need one catch arm and can filter by getMessage() text for mode-specific behaviour. Renames the previously-unreleased WebhookSignatureException to InvalidWebhookException (still extends StreamException) and threads it through every primitive: verifyAndParseWebhook -> 'signature mismatch' gunzipPayload -> 'gzip decompression failed' decodeSqsPayload -> 'invalid base64 encoding' parseEvent -> 'invalid JSON payload' The legacy Client#verifyWebhook helper (bool return) is untouched. verifySignature stays bool-returning at the primitive layer; the composite verifyAndParse* helpers throw on mismatch. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
Author
|
Shipped in
Docs side, docs-content#1276 now carries the per-SDK error-class table on the Webhooks overview page. |
…-3071) Stream does not ship an X-Signature on SQS or SNS deliveries — those transports ride AWS-internal infrastructure (IAM-authenticated queues and AWS-signed SNS notifications), so HMAC verification on top is theatre. signature + secret are now nullable on both Webhook::* helpers and on the Client instance methods. Webhook::verifyAndParseSqs(body) -> decode + parse Webhook::verifyAndParseSqs(body, sig, secret) -> + verify \$client->verifyAndParseSns(envelopeBody) -> unwrap + decode + parse Passing only one of (signature, secret) throws InvalidWebhookException. The HTTP-webhook path is unchanged. Co-authored-by: Cursor <cursoragent@cursor.com>
…ndParseWebhook; docs + tests Co-authored-by: Cursor <cursoragent@cursor.com>
…ipPayload - Rename InvalidWebhookException → InvalidWebhookError (extends StreamException) - Actually throw InvalidWebhookError on every failure path (was raw StreamException) - Align messages to canonical strings via class constants: SIGNATURE_MISMATCH / INVALID_BASE64 / GZIP_FAILED / INVALID_JSON - parseEvent JsonException + non-array now wrapped as InvalidWebhookError(INVALID_JSON) - Rename ungzipPayload → gunzipPayload everywhere - declare(strict_types=1) in new files
mogita
approved these changes
May 12, 2026
Merged
3 tasks
yaziine
approved these changes
May 13, 2026
nijeesh-stream
deleted the
nijeeshjoshy/cha-3071-compress-webhook-payloads
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds first-class support for gzip-compressed webhook payloads (HTTP webhooks, SQS, SNS) and exposes a stable
verifyAndParse*API that mirrors the cross-SDK contract published in Webhooks Overview.New public API (
GetStream\\StreamChat\\Client)Static primitives:
gunzipPayload(string): string— gzip-magic-byte detection, no-op when not compresseddecodeSqsPayload(string): string— base64 decode then gunzip-if-magicdecodeSnsPayload(notificationBody): string— JSON-parse the SNS HTTP notification envelope, extract the innerMessage, then run the SQS pipeline. Falls through to a pre-extractedMessagestring when the input is not a JSON envelopeverifySignature(string, string, string): bool— HMAC-SHA256 over the uncompressed body, with a constant-time comparison (matters for the HTTP webhook path where theX-Signatureheader is exposed publicly; SQS / SNS deliveries arrive over AWS-internal transports where timing-attack resistance is not strictly required)parseEvent(string): array— JSON → associative arrayInstance composites (return
array):verifyAndParseWebhook(string \$body, string \$signature): arrayverifyAndParseSqs(string \$body, string \$signature): arrayverifyAndParseSns(string \$body, string \$signature): arrayBackwards compatibility
\$client->verifyWebhook(\$body, \$signature)is preserved and now delegates toClient::verifySignature. The experimentaldecompressWebhookBodyandverifyAndDecodeWebhooksurfaces are removed (they were never released).Unified error handling
Per cross-SDK coordination (mogita's review across the 6 sibling SDK PRs), every webhook failure path now terminates at a single exception class —
InvalidWebhookException(extendsStreamException) so customers only need onecatcharm. The message text identifies which failure mode fired so callers that want to differentiate (security logging, retry policy) can filter on substring:signature mismatchinvalid base64 encodinggzip decompression failedinvalid JSON payloadpublic constfailure-mode messages on the class (InvalidWebhookException::SIGNATURE_MISMATCHetc.) are available for exact-match filtering. The legacyClient#verifyWebhook(bool return) is untouched.Tests
tests/unit/WebhookCompressionTest.phpcovers plain / gzip / base64 / base64+gzip payloads, signature mismatches, malformed bytes, and JSON parsing into an associative array. Linked Linear ticket: CHA-3071.Golden test fixtures (Tommaso)
Added shared reference fixtures to the test suite so future SDKs can sanity-check decoders against the same payloads:
Test plan
php-cs-fixer fix— clean