Skip to content
This repository was archived by the owner on Feb 5, 2025. It is now read-only.

feat: Hookdeck webhook signature verification #3

Merged
merged 12 commits into from
May 7, 2024
Merged

feat: Hookdeck webhook signature verification #3

merged 12 commits into from
May 7, 2024

Conversation

leggetter
Copy link
Collaborator

@leggetter leggetter commented Apr 24, 2024
edited
Loading

Adds the ability to verify the Hookdeck webhook signature.

const headers = request.headers;
const rawBody = await request.text();
const result = await verifyWebhookSignature({
    headers,
    rawBody,
    signingSecret: process.env.HOOKDECK_SIGNING_SECRET,
})

if(!result.isValidSignature) {
    // Reject the webhook payload
}
else {
    // Proceed with the webhook payload
}

Also check that Hookdeck verified the initial request from the Source.

const headers = request.headers;
const rawBody = await request.text();
const result = await verifyWebhookSignature({
    headers,
    rawBody,
    signingSecret: process.env.HOOKDECK_SIGNING_SECRET,
    config: {
        checkSourceVerification: true,
    }
})

if(!result.isValidSignature) {
    // Reject the webhook payload
}
else {
    // Proceed with the webhook payload
}

alexbouchardd
alexbouchardd reviewed Apr 24, 2024
View reviewed changes
chadxz
chadxz approved these changes Apr 25, 2024
View reviewed changes
Copy link

@chadxz chadxz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I wonder if the user may want this to never throw, though. In that case all the errors would be turned into like debug logs and instead return false for valid signature. Just a thought.

You may also want to check the shape of your error to make sure the name, stack trace etc look how you want them to look.

@leggetter leggetter merged commit 3496bdb into main May 7, 2024
@leggetter leggetter deleted the feat/webhook-verification branch May 7, 2024 06:36
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@alexbouchardd alexbouchardd alexbouchardd left review comments

@chadxz chadxz chadxz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@leggetter @chadxz @alexbouchardd