From d60ceab6c2fa227f17f659b99c094f96e87b6df7 Mon Sep 17 00:00:00 2001
From: Codex Microtask Operator <codex-microtask@example.com>
Date: Sat, 13 Jun 2026 01:38:25 +0200
Subject: [PATCH 1/2] Reject malformed CoinPay webhook signatures

---
 apps/logicsrc-web/contract/logicsrc-web.contract.test.ts | 1 +
 apps/logicsrc-web/src/lib/coinpay.ts                     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
index e14773f..e900bea 100644
--- a/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
+++ b/apps/logicsrc-web/contract/logicsrc-web.contract.test.ts
@@ -410,6 +410,7 @@ describe("POST /api/webhooks/coinpay", () => {
 
     expect(verifyCoinPayWebhook(payload, `t=${timestamp},v1=${signature}`, secret)).toBe(true);
     expect(verifyCoinPayWebhook(payload, `t=${timestamp}, v1=${signature}`, secret)).toBe(true);
+    expect(verifyCoinPayWebhook(payload, `t=${timestamp},v1=${signature}0`, secret)).toBe(false);
 
     const response = await coinpayWebhook(
       new NextRequest("http://localhost/api/webhooks/coinpay", {
diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts
index dae83d7..64343b7 100644
--- a/apps/logicsrc-web/src/lib/coinpay.ts
+++ b/apps/logicsrc-web/src/lib/coinpay.ts
@@ -117,7 +117,7 @@ export function verifyCoinPayWebhook(
     const parts = signatureHeader.split(",").map((part) => part.trim());
     const timestamp = parts.find((part) => part.startsWith("t="))?.slice(2);
     const signature = parts.find((part) => part.startsWith("v1="))?.slice(3);
-    if (!timestamp || !signature) {
+    if (!timestamp || !/^[0-9a-fA-F]{64}$/.test(signature)) {
       return false;
     }
 

From 5f331ab549b4233cf57732699a91016c44af7ccb Mon Sep 17 00:00:00 2001
From: Codex Microtask Operator <codex-microtask@example.com>
Date: Sat, 13 Jun 2026 01:45:52 +0200
Subject: [PATCH 2/2] Fix webhook signature type guard

---
 apps/logicsrc-web/src/lib/coinpay.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts
index 64343b7..96bc58f 100644
--- a/apps/logicsrc-web/src/lib/coinpay.ts
+++ b/apps/logicsrc-web/src/lib/coinpay.ts
@@ -117,7 +117,7 @@ export function verifyCoinPayWebhook(
     const parts = signatureHeader.split(",").map((part) => part.trim());
     const timestamp = parts.find((part) => part.startsWith("t="))?.slice(2);
     const signature = parts.find((part) => part.startsWith("v1="))?.slice(3);
-    if (!timestamp || !/^[0-9a-fA-F]{64}$/.test(signature)) {
+    if (!timestamp || !signature || !/^[0-9a-fA-F]{64}$/.test(signature)) {
       return false;
     }