oscerd opened a new pull request, #24034: URL: https://github.com/apache/camel/pull/24034
## Description The `camel-whatsapp` webhook consumer forwards inbound event callbacks to the route without verifying their authenticity. WhatsApp/Meta signs event payloads with an `X-Hub-Signature-256` header (HMAC-SHA256 of the raw request body keyed by the app secret). This adds a `webhookSecret` endpoint option: - When set, inbound event callbacks whose `X-Hub-Signature-256` signature is missing or does not match are rejected with HTTP 403, using a constant-time comparison. - When not set, behaviour is unchanged (no signature verification). This mirrors the signature verification already provided by `camel-clickup`. ## Testing Adds `WhatsAppWebhookSignatureTest` covering valid, invalid, missing, tampered-payload and wrong-secret cases. _Claude Code on behalf of Andrea Cosentino._ 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
