← Back to PRs

#21532: Security/Voice Call: block signed webhook replay

by bmendonca3 open 2026-02-20 02:23 View on GitHub →
channel: voice-call size: S
## Summary - split signed-webhook replay protection out of #21203 into a dedicated voice-call security PR - dedupe replayed signed webhook requests before event processing for Telnyx/Plivo/Twilio signature flows - add focused replay-protection tests in `extensions/voice-call/src/webhook.test.ts` ## Scope boundaries - intentionally excludes exact-path matching changes (tracked separately) - intentionally excludes host-header hardening changes (tracked separately) - intentionally excludes Control UI and non-voice webhook replay work ## Validation - pnpm test -- extensions/voice-call/src/webhook.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR adds webhook replay protection for voice call webhooks from Telnyx, Plivo, and Twilio providers. The implementation creates a fingerprint from provider-specific signature headers and idempotency tokens, then tracks seen requests in a 5-minute sliding window using an in-memory Map. Replayed webhooks are dropped after signature verification but before event processing. Key changes: - Adds `buildReplayKey()` to construct provider-specific replay keys from signature headers and nonces/timestamps - Implements `shouldDropReplayWebhook()` with SHA-256 fingerprinting and 5-minute window deduplication - Maintains `recentReplayKeys` map with automatic cleanup when exceeding 5000 entries - Test coverage for replay protection with identical Telnyx webhook requests <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation is well-designed with proper separation of concerns, comprehensive test coverage, and correct replay detection logic. The code follows the repository's patterns, includes appropriate memory management (map cleanup), and maintains security by performing replay checks after signature verification. The 5-minute window and 5000-key limit provide reasonable protection without excessive memory usage. - No files require special attention <sub>Last reviewed commit: e15d73d</sub> <!-- greptile_other_comments_section --> <!-- /greptile_comment -->

Most Similar PRs