feat: adding webhook verification to TS quickstart

Author: leggetter

typescript/inbound/index.ts

@@ -1,15 +1,54 @@
-import express, { Request, Response, Application } from "express";
+import express, { Request, Response, NextFunction, Application } from "express";
+
+declare module 'express-serve-static-core' {
+  interface Request {
+    rawBody: string;
+  }
+}
+
 import dotenv from "dotenv";
+import { verifyWebhookSignature } from "@hookdeck/sdk/webhooks";
 
 dotenv.config();
 
+const HOOKDECK_WEBHOOK_SECRET = process.env.HOOKDECK_WEBHOOK_SECRET;
+
 const app: Application = express();
-app.use(express.json());
+
+const verify = async (req: Request, res: Response, next: NextFunction) => {
+  if(!HOOKDECK_WEBHOOK_SECRET) {
+    console.warn("No HOOKDECK_WEBHOOK_SECRET found in environment variables. Skipping verification.")
+    return;
+  }
+
+  const verified = await verifyWebhookSignature({
+    headers: req.headers as { [key: string]: string; },
+    rawBody: req.rawBody,
+    signingSecret: HOOKDECK_WEBHOOK_SECRET
+  });
+
+  if(verified) {
+    next();
+  }
+  else {
+    res.status(401).send("Unauthorized");
+  }
+}
+
+app.use(express.json({
+  verify: (req: Request, res: Response, buf: Buffer, encoding: string) => {
+    req.rawBody = buf.toString();
+  }
+}));
 
 const port = process.env.PORT || 3030;
 
-app.post("*", (req: Request, res: Response) => {
-  console.log({ webhook_received: new Date().toISOString(), body: req.body });
+app.post("*", verify, (req: Request, res: Response) => {
+  console.log({
+    webhook_received: new Date().toISOString(), 
+    path: req.path, 
+    body: req.body
+  });
 
   res.json({ status: "ACCEPTED" });
 });

typescript/inbound/package-lock.json

@@ -12,6 +12,7 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
+    "@hookdeck/sdk": "^0.4.0",
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
     "nodemon": "^3.0.1"