common/hermes
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(webhook): use 403 not 500 for missing-secret rejection

Browse Source 
Operator misconfiguration is a client/setup error, not an internal server
exception. 403 "forbidden" more accurately reflects "this route refuses
to authenticate" than 500 "internal server error" — the latter triggers
incident alerting on operator monitoring and conflates real bugs with
config drift.

Follow-up tweak to PR #29629 by @m0n3r0.
This commit is contained in:
teknium1
2026-05-24 04:47:06 -07:00
committed by Teknium
parent dbf73e90fa
commit 15aa6884a2
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
gateway/platforms/webhook.py
View File

@@ -391,7 +391,7 @@ class WebhookAdapter(BasePlatformAdapter):
) )
return web.json_response( return web.json_response(
{"error": "Webhook route is missing an HMAC secret"}, {"error": "Webhook route is missing an HMAC secret"},
status=500, status=403,
) )
if secret != _INSECURE_NO_AUTH: if secret != _INSECURE_NO_AUTH:
if not self._validate_signature(request, raw_body, secret): if not self._validate_signature(request, raw_body, secret):

2
tests/gateway/test_webhook_adapter.py
View File

@@ -508,7 +508,7 @@ class TestHTTPHandling:
app = _create_app(adapter) app = _create_app(adapter)
async with TestClient(TestServer(app)) as cli: async with TestClient(TestServer(app)) as cli:
resp = await cli.post("/webhooks/test", json={"data": "value"}) resp = await cli.post("/webhooks/test", json={"data": "value"})
assert resp.status == 500 assert resp.status == 403
data = await resp.json() data = await resp.json()
assert data["error"] == "Webhook route is missing an HMAC secret" assert data["error"] == "Webhook route is missing an HMAC secret"