DE-1389 Make Webhook Signing Key optional (#390)

mailgun · Feb 10, 2025 · 8394945 · 8394945
1 parent fe7c6ae
commit 8394945
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/mailgun.go b/mailgun.go
@@ -317,11 +317,7 @@ func (mg *MailgunImpl) SetHTTPClient(c *http.Client) {
 
 // WebhookSigningKey returns the webhook signing key configured for this client
 func (mg *MailgunImpl) WebhookSigningKey() string {
-	key := mg.webhookSigningKey
-	if key == "" {
-		return mg.APIKey()
-	}
-	return key
+	return mg.webhookSigningKey
 }
 
 // SetWebhookSigningKey updates the webhook signing key for this client

diff --git a/webhooks.go b/webhooks.go
@@ -122,7 +122,12 @@ type WebhookPayload struct {
 
 // VerifyWebhookSignature - use this method to parse the webhook signature given as JSON in the webhook response
 func (mg *MailgunImpl) VerifyWebhookSignature(sig Signature) (verified bool, err error) {
-	h := hmac.New(sha256.New, []byte(mg.WebhookSigningKey()))
+	webhookSigningKey := mg.WebhookSigningKey()
+	if webhookSigningKey == "" {
+		return false, fmt.Errorf("webhook signing key is not set")
+	}
+
+	h := hmac.New(sha256.New, []byte(webhookSigningKey))
 
 	_, err = io.WriteString(h, sig.TimeStamp)
 	if err != nil {