import { timingSafeEqual } from 'crypto';

// Documenso (v1.13 + 2.x) authenticates outbound webhooks by sending the
// configured secret in plaintext via the `X-Documenso-Secret` header.
// There is no HMAC. Compare the provided value timing-safely to the env secret.
export function verifyDocumensoSecret(provided: string, expected: string): boolean {
  if (!provided || provided.length !== expected.length) return false;
  try {
    return timingSafeEqual(Buffer.from(provided), Buffer.from(expected));
  } catch {
    return false;
  }
}