Add HMAC webhook signature verification

## Problem
`webhook.service.ts` sends outbound webhooks to 
merchants without any signature. A merchant receiving 
a webhook from Migo has no way to verify it's 
legitimate. This is a standard security requirement 
for any payment protocol.

## Expected behavior
Every outbound webhook from Migo should include an 
`X-Migo-Signature` header containing an HMAC-SHA256 
of the request body, signed with a secret.

## Acceptance criteria
- [ ] `sendWebhook()` adds 
      `X-Migo-Signature: sha256=<hex>` to every request
- [ ] HMAC secret stored in `WEBHOOK_SECRET` env variable
- [ ] Uses `crypto.createHmac('sha256', secret)
      .update(body).digest('hex')`
- [ ] Uses `crypto.timingSafeEqual` for verification 
      to prevent timing attacks
- [ ] README updated with instructions for merchants 
      to verify the signature

## Resources
- https://nodejs.org/api/crypto.html#cryptohmac
- File: `api/src/services/webhook.service.ts`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add HMAC webhook signature verification #8

Problem

Expected behavior

Acceptance criteria

Resources

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Add HMAC webhook signature verification #8

Description

Problem

Expected behavior

Acceptance criteria

Resources

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions