Update nango crate: add webhook module with verification, expand types per docs

[devin-ai-integration]

Summary

Updates crates/nango to align with the current Nango API docs for API auth and webhooks.

Changes:

• types.rs: Added tags: Option<HashMap<String, String>> to NangoConnectSessionRequestUser per the connect session API. Removed the old minimal NangoConnectWebhook / NangoConnectWebhookEndUser types (unused outside this crate).
• webhook.rs (new): Dedicated module containing:
  • verify_webhook_signature() — HMAC-SHA256 verification for the X-Nango-Hmac-Sha256 header
  • NangoAuthWebhook — full auth webhook payload (authMode, providerConfigKey, provider, environment, success, error, etc.)
  • NangoSyncWebhook / NangoSyncWebhookResults — sync webhook types
  • NangoWebhookEndUser — now includes endUserEmail and tags
  • NangoWebhookError — error payload for failed auth operations
  • Unit tests for signature verification and JSON deserialization of all webhook types

Review & Testing Checklist for Human

• Timing side-channel in signature verification: verify_webhook_signature uses plain == string comparison rather than constant-time comparison (hmac::Mac::verify or similar). Evaluate whether this matters for your threat model.
• Renamed webhook types: Old NangoConnectWebhook → NangoAuthWebhook, NangoConnectWebhookEndUser → NangoWebhookEndUser. Confirm no downstream consumers outside this crate reference the old names (grep showed none, but verify in any out-of-tree code).
• Non-optional fields on NangoAuthWebhook: Fields like auth_mode, provider, environment are required. Verify against real Nango webhook payloads that these are always present.

Notes

• hmac, sha2, hex added as direct crate deps (not workspace-level) since they're only used here.
• Requested by: @yujonglee
• Link to Devin run

---

[netlify]

✅ Deploy Preview for hyprnote canceled.

Name	Link
🔨 Latest commit	4923c52
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote/deploys/698752a90e45350008feb472

[netlify]

✅ Deploy Preview for hyprnote-storybook canceled.

Name	Link
🔨 Latest commit	4923c52
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote-storybook/deploys/698752a9f8d5ab0007c32954

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 Timing side-channel in webhook signature verification using non-constant-time ==

The verify_webhook_signature function at crates/nango/src/webhook.rs:16 uses plain == string comparison to compare the computed HMAC against the provided signature. This is vulnerable to timing side-channel attacks, where an attacker can progressively determine the correct signature byte-by-byte by measuring response time differences.

Root Cause and Impact

Rust's == on strings short-circuits on the first differing byte. An attacker sending crafted webhook requests can measure how long the comparison takes and deduce how many leading bytes of their forged signature match the expected one. Over many requests, this allows reconstructing the full valid HMAC without knowing the secret key.

The hmac crate already provides Mac::verify() which performs constant-time comparison internally. The current code computes the HMAC correctly but then discards the constant-time verification by hex-encoding and using ==:

let expected = hex::encode(mac.finalize().into_bytes());
expected == signature

Instead, the signature should be decoded from hex and verified using mac.verify_slice(), or the raw bytes should be compared using a constant-time comparison function.

Impact: An attacker who can send arbitrary webhook payloads to the endpoint and measure response times could forge valid webhook signatures, bypassing authentication and injecting malicious webhook events.

Suggested change

	let expected = hex::encode(mac.finalize().into_bytes());
	expected == signature
	let expected = mac.finalize().into_bytes();
	let Ok(signature_bytes) = hex::decode(signature) else {
	return false;
	};
	expected.as_slice().len() == signature_bytes.len()
	&& hmac::Mac::verify_slice(HmacSha256::new_from_slice(secret_key.as_bytes()).unwrap(), &signature_bytes).is_ok()

---

Was this helpful? React with 👍 or 👎 to provide feedback.