Validate hookdeck webhooks

server/routes/webhooks/strava/activity-create.post.ts

@@ -1,6 +1,8 @@
 import { createActivityContent } from "~~/server/utils/create-content";
 
 export default defineEventHandler(async (event) => {
+  await validateHookdeck(event);
+
   const body = await readBody(event);
   const db = useDrizzle();
 

server/routes/webhooks/strava/athlete-update.post.ts

@@ -2,6 +2,8 @@ import { get } from "radash";
 import { eq } from "drizzle-orm";
 
 export default defineEventHandler(async (event) => {
+  await validateHookdeck(event);
+
   const body = await readBody(event);
   const db = useDrizzle();
 

server/routes/webhooks/strava/index.post.ts

@@ -1,6 +1,9 @@
 import { get } from "radash";
 
 export default defineEventHandler(async (event) => {
+  await validateHookdeck(event);
+
+  const config = useRuntimeConfig();
   const body = await readBody(event);
 
   const aspectType = get(body, "aspect_type");
@@ -9,5 +12,8 @@ export default defineEventHandler(async (event) => {
   await $fetch(`/webhooks/strava/${objectType}-${aspectType}`, {
     method: "post",
     body,
+    headers: {
+      "X-Hookdeck-Key": config.hookdeckKey,
+    },
   });
 });

server/utils/hookdeck-validation.ts

@@ -0,0 +1,19 @@
+import type { H3Event } from "h3";
+import { isEmpty } from "radash";
+
+export const validateHookdeck = async (event: H3Event) => {
+  const hookdeckKeyHeader = getHeader(event, "X-Hookdeck-Key");
+  const config = useRuntimeConfig();
+
+  if (isEmpty(hookdeckKeyHeader)) {
+    throw createError({
+      status: 401,
+    });
+  }
+
+  if (hookdeckKeyHeader !== config.hookdeckKey) {
+    throw createError({
+      status: 401,
+    });
+  }
+};