From f969fb3b6baa32ce9970438e93f49724bf5e1178 Mon Sep 17 00:00:00 2001
From: mawkone <mark@getacquired.com>
Date: Thu, 26 Feb 2026 15:27:38 -0800
Subject: [PATCH] fix: capture raw body for HMAC before express.json()
 middleware

Made-with: Cursor
---
 dist/server.js | 5 +++--
 src/server.ts  | 7 +++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/dist/server.js b/dist/server.js
index 4b755f8..c91c7fc 100644
--- a/dist/server.js
+++ b/dist/server.js
@@ -47,6 +47,8 @@ const agent_runner_1 = require("./agent-runner");
 const agents_1 = require("./agents");
 const app = (0, express_1.default)();
 app.use((0, cors_1.default)());
+// Raw body capture for webhook HMAC — must come before express.json()
+app.use('/webhook/gitea', express_1.default.raw({ type: '*/*' }));
 app.use(express_1.default.json());
 const PORT = process.env.PORT || 3333;
 // ---------------------------------------------------------------------------
@@ -159,8 +161,7 @@ app.get('/api/jobs', (req, res) => {
     res.json((0, job_store_1.listJobs)(limit));
 });
 // Gitea webhook endpoint — triggers agent from an issue event
-// Must use raw body for HMAC verification — register before express.json()
-app.post('/webhook/gitea', express_1.default.raw({ type: 'application/json' }), (req, res) => {
+app.post('/webhook/gitea', (req, res) => {
     const event = req.headers['x-gitea-event'];
     const rawBody = req.body;
     // Verify HMAC-SHA256 signature
diff --git a/src/server.ts b/src/server.ts
index 271f7dd..389ef49 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -11,6 +11,10 @@ import { ToolContext } from './tools';
 
 const app = express();
 app.use(cors());
+
+// Raw body capture for webhook HMAC — must come before express.json()
+app.use('/webhook/gitea', express.raw({ type: '*/*' }));
+
 app.use(express.json());
 
 const PORT = process.env.PORT || 3333;
@@ -138,8 +142,7 @@ app.get('/api/jobs', (req: Request, res: Response) => {
 });
 
 // Gitea webhook endpoint — triggers agent from an issue event
-// Must use raw body for HMAC verification — register before express.json()
-app.post('/webhook/gitea', express.raw({ type: 'application/json' }), (req: Request, res: Response) => {
+app.post('/webhook/gitea', (req: Request, res: Response) => {
     const event = req.headers['x-gitea-event'] as string;
     const rawBody = req.body as Buffer;