From 15aa6884a28f1aeb498fdf9d2bc6c8b4d93cf0dd Mon Sep 17 00:00:00 2001
From: teknium1 <127238744+teknium1@users.noreply.github.com>
Date: Sun, 24 May 2026 04:47:06 -0700
Subject: [PATCH] fix(webhook): use 403 not 500 for missing-secret rejection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Operator misconfiguration is a client/setup error, not an internal server
exception. 403 "forbidden" more accurately reflects "this route refuses
to authenticate" than 500 "internal server error" — the latter triggers
incident alerting on operator monitoring and conflates real bugs with
config drift.

Follow-up tweak to PR #29629 by @m0n3r0.
---
 gateway/platforms/webhook.py          | 2 +-
 tests/gateway/test_webhook_adapter.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gateway/platforms/webhook.py b/gateway/platforms/webhook.py
index 504bfd4433a..32c6e8109bd 100644
--- a/gateway/platforms/webhook.py
+++ b/gateway/platforms/webhook.py
@@ -391,7 +391,7 @@ class WebhookAdapter(BasePlatformAdapter):
             )
             return web.json_response(
                 {"error": "Webhook route is missing an HMAC secret"},
-                status=500,
+                status=403,
             )
         if secret != _INSECURE_NO_AUTH:
             if not self._validate_signature(request, raw_body, secret):
diff --git a/tests/gateway/test_webhook_adapter.py b/tests/gateway/test_webhook_adapter.py
index 510f312af9f..9cf61c3c3b5 100644
--- a/tests/gateway/test_webhook_adapter.py
+++ b/tests/gateway/test_webhook_adapter.py
@@ -508,7 +508,7 @@ class TestHTTPHandling:
         app = _create_app(adapter)
         async with TestClient(TestServer(app)) as cli:
             resp = await cli.post("/webhooks/test", json={"data": "value"})
-            assert resp.status == 500
+            assert resp.status == 403
             data = await resp.json()
             assert data["error"] == "Webhook route is missing an HMAC secret"