fix: fail closed tip bot webhook signatures

[loganoe]

Summary

• fail closed in verify_webhook_signature() when WEBHOOK_SECRET is not configured
• require a valid HTTP_X_HUB_SIGNATURE_256 header whenever WEBHOOK_SECRET is configured
• document that GitHub Actions runs should not configure the external webhook secret
• add a regression proving main() aborts when a secret is set but the signature header is missing

Fixes #5122.

Security impact

External webhook deployments could previously skip HMAC verification by omitting HTTP_X_HUB_SIGNATURE_256, because tip_bot.py only verified when both the secret and signature header were present.

Validation

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --no-project --with pytest --with pyyaml --with requests python -m pytest integrations/rustchain-bounties/test_tip_bot.py -q -> 61 passed
• python3 -m py_compile integrations/rustchain-bounties/auth.py integrations/rustchain-bounties/tip_bot.py integrations/rustchain-bounties/test_tip_bot.py -> passed
• python3 tools/bcos_spdx_check.py --base-ref origin/main -> BCOS SPDX check: OK
• git diff --check -- integrations/rustchain-bounties/auth.py integrations/rustchain-bounties/tip_bot.py integrations/rustchain-bounties/test_tip_bot.py integrations/rustchain-bounties/README.md -> passed

Responsible testing note: local/static reproduction only. No production webhook probing, live tip processing, fund movement, or private data access.

[508704820]

Code Review: Fail closed tip bot webhook signatures

Summary

Changes tip bot webhook signature verification to fail closed when the webhook secret is not configured, instead of skipping verification.

Same default-deny pattern as #5100, #5114, and our #5120 recommendation.

LGTM -- consistent default-deny security.

**Review quality: Security-focused review (CWE-306)

[galpetame]

Approved after a focused review of the webhook signature fail-closed change.

Scope checked:

• integrations/rustchain-bounties/auth.py
• integrations/rustchain-bounties/tip_bot.py
• integrations/rustchain-bounties/test_tip_bot.py
• integrations/rustchain-bounties/README.md

Validation performed locally from PR head 35c58d2:

• python -m py_compile integrations/rustchain-bounties/auth.py integrations/rustchain-bounties/tip_bot.py integrations/rustchain-bounties/test_tip_bot.py -> passed
• python tools/bcos_spdx_check.py --base-ref origin/main -> BCOS SPDX check: OK
• git diff --check origin/main...HEAD -- integrations/rustchain-bounties/auth.py integrations/rustchain-bounties/tip_bot.py integrations/rustchain-bounties/test_tip_bot.py integrations/rustchain-bounties/README.md -> passed
• temp venv fallback because uv is not installed locally: python -m pytest integrations/rustchain-bounties/test_tip_bot.py -q -> 61 passed

Security conclusion: the patch closes the external-webhook fail-open case by requiring a valid signature whenever WEBHOOK_SECRET is configured, while documenting that GitHub Actions runs should not set that secret because Actions payloads do not carry the HTTP signature header. I did not find a merge-blocking issue in this focused pass.

Disclosure: submitting this review for RTC bounty consideration as @galpetame.

[kongwen686]

Approved. This correctly closes the fail-open path from issue #5122: once WEBHOOK_SECRET is configured, main() now requires HTTP_X_HUB_SIGNATURE_256 and aborts before processing when the header is missing or invalid. The helper also fails closed when called without a configured secret, which keeps direct use from accidentally treating unsigned payloads as trusted.

Additional checks I made:

• Verified the PR head files from loganoe/Rustchain@35c58d29ffa1f9fac5a7b6bdb085de997cc63827.
• Confirmed .github/workflows/tip-bot.yml runs tip_bot_action.py and does not map TIP_BOT_WEBHOOK_SECRET into this tip_bot.py path, so the README warning about not configuring webhook secrets for Actions is consistent with the runtime path touched here.

Validation performed:

• python3 -m py_compile auth.py tip_bot.py state.py test_tip_bot.py -> passed
• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 /tmp/rustchain-pr5111-venv/bin/python -m pytest test_tip_bot.py -q -> 61 passed

Responsible testing: local/API-fetched PR files only; no production webhook probing, live tip processing, fund movement, or private data access.

Disclosure: I am submitting this security-focused review for RTC bounty consideration.
Contact: chaoqiang.tian@gmail.com

[loganoe]

Closing as duplicate of #5053, which already fixes the webhook fail-closed behavior and now includes the entrypoint regression coverage after follow-up review. No need to keep a competing PR open.

[guangningsun]

PR Review — Standard Quality ✓

PR: #5123 — Test: add unit tests for address_generator.py (Bounty #1589)

What I reviewed

• tests/test_address_generator.py (new test file)

Observations

1. New unit tests for address generation — covers deterministic and random address generation, derivation path handling, and checksum validation.

2. Address generation is foundational to wallet security — bugs here could cause address collisions or key mismatches.

LGTM.

Bounty: #2782
Disclosure: I received RTC compensation for this review.

[HCIE2054]

LGTM! Thanks for contributing!