Implement rate limiting on webhook endpoints #199

New Issue

Closed

opened 2026-02-02 17:27:11 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-02 17:27:11 +00:00

Owner

Copy Link

Problem

Webhook endpoint has no rate limiting, allowing spam or denial-of-service attacks.

Location

apps/api/src/stitcher/stitcher.controller.ts:19-22

@Post("webhook")
async webhook(@Body() payload: WebhookPayloadDto): Promise<JobDispatchResult> {
  return this.stitcherService.handleWebhook(payload);
  // ❌ No rate limiting
  // ❌ No request signature validation
  // ❌ No source IP allowlist
}

Impact

• DoS attacks via webhook flooding
• Job queue exhaustion
• No authentication of webhook source
• No protection against replay attacks

Acceptance Criteria

• Implement rate limiting (max 100/min per IP)
• Add webhook signature validation (HMAC)
• Add IP allowlist for webhook sources
• Add request deduplication
• Log all webhook attempts
• Add monitoring for rate limit hits
• Document webhook security

Implementation

@Post("webhook")
@UseGuards(WebhookSignatureGuard)  // NEW: Validate HMAC
@UseInterceptors(RateLimitInterceptor)  // NEW: 100/min per IP
async webhook(@Body() payload: WebhookPayloadDto) {
  return this.stitcherService.handleWebhook(payload);
}

// Signature validation
@Injectable()
export class WebhookSignatureGuard implements CanActivate {
  canActivate(context: ExecutionContext): boolean {
    const req = context.switchToHttp().getRequest();
    const signature = req.headers['x-webhook-signature'];
    const body = JSON.stringify(req.body);
    
    const expected = crypto
      .createHmac('sha256', process.env.WEBHOOK_SECRET)
      .update(body)
      .digest('hex');
    
    return crypto.timingSafeEqual(
      Buffer.from(signature),
      Buffer.from(expected)
    );
  }
}

// Rate limiting
@Injectable()
export class RateLimitInterceptor implements NestInterceptor {
  async intercept(context: ExecutionContext, next: CallHandler) {
    const req = context.switchToHttp().getRequest();
    const ip = req.ip;
    
    const count = await this.redis.incr(`ratelimit:webhook:${ip}`);
    if (count === 1) {
      await this.redis.expire(`ratelimit:webhook:${ip}`, 60);
    }
    
    if (count > 100) {
      throw new TooManyRequestsException('Rate limit exceeded');
    }
    
    return next.handle();
  }
}

Testing

• Test rate limit enforced
• Test invalid signature rejected
• Test duplicate requests detected
• Test allowlist IP bypass

References

M4.2-Infrastructure verification report (2026-02-02)

## Problem Webhook endpoint has no rate limiting, allowing spam or denial-of-service attacks. ## Location apps/api/src/stitcher/stitcher.controller.ts:19-22 ```typescript @Post("webhook") async webhook(@Body() payload: WebhookPayloadDto): Promise<JobDispatchResult> { return this.stitcherService.handleWebhook(payload); // ❌ No rate limiting // ❌ No request signature validation // ❌ No source IP allowlist } ``` ## Impact - DoS attacks via webhook flooding - Job queue exhaustion - No authentication of webhook source - No protection against replay attacks ## Acceptance Criteria - [ ] Implement rate limiting (max 100/min per IP) - [ ] Add webhook signature validation (HMAC) - [ ] Add IP allowlist for webhook sources - [ ] Add request deduplication - [ ] Log all webhook attempts - [ ] Add monitoring for rate limit hits - [ ] Document webhook security ## Implementation ```typescript @Post("webhook") @UseGuards(WebhookSignatureGuard) // NEW: Validate HMAC @UseInterceptors(RateLimitInterceptor) // NEW: 100/min per IP async webhook(@Body() payload: WebhookPayloadDto) { return this.stitcherService.handleWebhook(payload); } // Signature validation @Injectable() export class WebhookSignatureGuard implements CanActivate { canActivate(context: ExecutionContext): boolean { const req = context.switchToHttp().getRequest(); const signature = req.headers['x-webhook-signature']; const body = JSON.stringify(req.body); const expected = crypto .createHmac('sha256', process.env.WEBHOOK_SECRET) .update(body) .digest('hex'); return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(expected) ); } } // Rate limiting @Injectable() export class RateLimitInterceptor implements NestInterceptor { async intercept(context: ExecutionContext, next: CallHandler) { const req = context.switchToHttp().getRequest(); const ip = req.ip; const count = await this.redis.incr(`ratelimit:webhook:${ip}`); if (count === 1) { await this.redis.expire(`ratelimit:webhook:${ip}`, 60); } if (count > 100) { throw new TooManyRequestsException('Rate limit exceeded'); } return next.handle(); } } ``` ## Testing - [ ] Test rate limit enforced - [ ] Test invalid signature rejected - [ ] Test duplicate requests detected - [ ] Test allowlist IP bypass ## References M4.2-Infrastructure verification report (2026-02-02)

jason.woltje added this to the M4.2-Infrastructure (0.0.4) milestone 2026-02-02 17:27:11 +00:00

jason.woltje added the securityp2apiapi labels 2026-02-02 17:27:11 +00:00

jason.woltje closed this issue 2026-02-02 19:08:01 +00:00

jason.woltje referenced this issue from a commit 2026-02-02 19:14:42 +00:00

fix(#199): implement rate limiting on webhook endpoints

jason.woltje referenced this issue from a commit 2026-02-02 19:32:41 +00:00

fix(#196, #199): Fix TypeScript errors from race condition and throttler changes

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api p2 security

Milestone

No items

No Milestone M4.2-Infrastructure (0.0.4)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#199