# Pull Request: Secure and Operationalize the Webhooks System (#289)

[mijinummi]

📝 Description

Overview

This PR secures and operationalizes the Webhooks System.
It adds signing, retries, delivery history, and replay protection to ensure webhook authenticity and reliability.

Key Features

• Secret Generation: HMAC SHA‑256 signing
• Signed Deliveries: X-Signature header
• Retry Scheduling: Exponential backoff with jitter
• Delivery History: Stored in DB with status, error, attempts
• Replay Protection: Signature verification
• Diagnostics: Admin endpoint for delivery history
• Observability: Structured logging for operators

---

✅ Acceptance Criteria

• Third‑party consumers can verify webhook authenticity
• Operators can inspect failures without digging through logs
• No placeholder assumptions remain in production code paths

---

📂 File Changes

• backend/src/webhooks/webhooks.service.ts — delivery logic with signing and retries
• backend/src/webhooks/webhooks.controller.ts — endpoints for send and history
• backend/src/webhooks/webhooks.repository.ts — persistence methods
• backend/src/entities/webhook.entity.ts — delivery history entity
• backend/src/utils/signing.ts — HMAC signing utilities
• backend/src/utils/backoff.ts — retry backoff policy
• backend/src/utils/observability.ts — structured logging
• backend/src/webhooks/__tests__/webhooks.service.spec.ts — unit tests

---

Closes #289

[vercel]

@mijinummi is attempting to deploy a commit to the olufunbiik's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Warning

Rate limit exceeded

@mijinummi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 34 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 1 minutes and 34 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b8e18e1-7c87-4ab6-84d1-390dac94a9cf

📥 Commits

Reviewing files that changed from the base of the PR and between e82ee57 and b0b2758.

📒 Files selected for processing (5)

• backend/src/utils/backoff.ts
• backend/src/utils/observability.ts
• backend/src/utils/signing.ts
• backend/src/webhooks/webhooks.repository.ts
• backend/src/webhooks/webhooks.service.spec.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}