Assert hmac signature is received in mock webhook

mjewildnhs · mjewildnhs · commit 00292ff0804e · 2026-03-18T14:50:45.000Z
diff --git a/lambdas/mock-webhook-lambda/src/__tests__/index.test.ts b/lambdas/mock-webhook-lambda/src/__tests__/index.test.ts
@@ -22,7 +22,10 @@ const mockLogger = jest.requireMock(
   "@nhs-notify-client-callbacks/logger",
 ).instance;
 
-const DEFAULT_HEADERS = { "x-api-key": TEST_API_KEY };
+const DEFAULT_HEADERS = {
+  "x-api-key": TEST_API_KEY,
+  "x-hmac-sha256-signature": "abc123",
+};
 
 const createMockEvent = (
   body: string | null,
@@ -61,6 +64,18 @@ describe("Mock Webhook Lambda", () => {
       const body = JSON.parse(result.body);
       expect(body.message).toBe("Unauthorized");
     });
+
+    it("should return 400 when x-hmac-sha256-signature header is missing", async () => {
+      const callback = { data: [] };
+      const event = createMockEvent(JSON.stringify(callback), {
+        "x-api-key": TEST_API_KEY,
+      });
+      const result = await handler(event);
+
+      expect(result.statusCode).toBe(400);
+      const body = JSON.parse(result.body);
+      expect(body.message).toBe("Missing x-hmac-sha256-signature");
+    });
   });
 
   describe("Happy Path", () => {
diff --git a/lambdas/mock-webhook-lambda/src/index.ts b/lambdas/mock-webhook-lambda/src/index.ts
@@ -52,6 +52,14 @@ async function buildResponse(
     };
   }
 
+  if (!event.headers["x-hmac-sha256-signature"]) {
+    logger.error("Bad request: missing x-hmac-sha256-signature header");
+    return {
+      statusCode: 400,
+      body: JSON.stringify({ message: "Missing x-hmac-sha256-signature" }),
+    };
+  }
+
   if (!event.body) {
     logger.error("No event body received");
 
