From 6725eb29958daae3292ce64a3ac6052ac449abf7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edvard=20Sch=C3=B8yen?=
 <99178202+ecschoye@users.noreply.github.com>
Date: Sun, 15 Feb 2026 07:42:52 -0500
Subject: [PATCH] fix(gateway): use constant-time comparison for WhatsApp
 verify_token

Uses constant_time_eq for verify_token to prevent timing attacks. Removes unused whatsapp_app_secret signature verification code for simplification.
---
 src/gateway/mod.rs | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/gateway/mod.rs b/src/gateway/mod.rs
index ef9dbaf..918dd43 100644
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@@ -359,10 +359,12 @@ async fn handle_whatsapp_verify(
         return (StatusCode::NOT_FOUND, "WhatsApp not configured".to_string());
     };
 
-    // Verify the token matches
-    if params.mode.as_deref() == Some("subscribe")
-        && params.verify_token.as_deref() == Some(wa.verify_token())
-    {
+    // Verify the token matches (constant-time comparison to prevent timing attacks)
+    let token_matches = params
+        .verify_token
+        .as_deref()
+        .is_some_and(|t| constant_time_eq(t, wa.verify_token()));
+    if params.mode.as_deref() == Some("subscribe") && token_matches {
         if let Some(ch) = params.challenge {
             tracing::info!("WhatsApp webhook verified successfully");
             return (StatusCode::OK, ch);
@@ -488,7 +490,10 @@ async fn handle_whatsapp_message(
             Err(e) => {
                 tracing::error!("LLM error for WhatsApp message: {e:#}");
                 let _ = wa
-                    .send("Sorry, I couldn't process your message right now.", &msg.sender)
+                    .send(
+                        "Sorry, I couldn't process your message right now.",
+                        &msg.sender,
+                    )
                     .await;
             }
         }