Validate hookdeck webhooks

2025-06-02 12:05:41 +03:00
parent 0cd5c6cb69
commit 80fe63b82e
6 changed files with 31 additions and 0 deletions
--- a/.env.example
+++ b/.env.example
@@ -4,3 +4,4 @@ NUXT_SESSION_PASSWORD=
 NUXT_WEBHOOKS_URL=
 NUXT_STRAVA_VERIFY_TOKEN=
 NUXT_HUB_PROJECT_KEY=
 NUXT_HOOKDECK_KEY=
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -11,6 +11,7 @@ export default defineNuxtConfig({
  runtimeConfig: {
    webhooksUrl: "",
    stravaVerifyToken: "",
    hookdeckKey: "",
    openaiApiKey: "",
    databaseUrl: "",
    public: {
--- a/server/routes/webhooks/strava/activity-create.post.ts
+++ b/server/routes/webhooks/strava/activity-create.post.ts
@@ -1,6 +1,8 @@
 import { createActivityContent } from "~~/server/utils/create-content";
 export default defineEventHandler(async (event) => {
  await validateHookdeck(event);
  const body = await readBody(event);
  const db = useDrizzle();
--- a/server/routes/webhooks/strava/athlete-update.post.ts
+++ b/server/routes/webhooks/strava/athlete-update.post.ts
@@ -2,6 +2,8 @@ import { get } from "radash";
 import { eq } from "drizzle-orm";
 export default defineEventHandler(async (event) => {
  await validateHookdeck(event);
  const body = await readBody(event);
  const db = useDrizzle();
--- a/server/routes/webhooks/strava/index.post.ts
+++ b/server/routes/webhooks/strava/index.post.ts
@@ -1,6 +1,9 @@
 import { get } from "radash";
 export default defineEventHandler(async (event) => {
  await validateHookdeck(event);
  const config = useRuntimeConfig();
  const body = await readBody(event);
  const aspectType = get(body, "aspect_type");
@@ -9,5 +12,8 @@ export default defineEventHandler(async (event) => {
  await $fetch(`/webhooks/strava/${objectType}-${aspectType}`, {
    method: "post",
    body,
    headers: {
      "X-Hookdeck-Key": config.hookdeckKey,
    },
  });
 });
--- a/server/utils/hookdeck-validation.ts
+++ b/server/utils/hookdeck-validation.ts
@@ -0,0 +1,19 @@
 import type { H3Event } from "h3";
 import { isEmpty } from "radash";
 export const validateHookdeck = async (event: H3Event) => {
  const hookdeckKeyHeader = getHeader(event, "X-Hookdeck-Key");
  const config = useRuntimeConfig();
  if (isEmpty(hookdeckKeyHeader)) {
    throw createError({
      status: 401,
    });
  }
  if (hookdeckKeyHeader !== config.hookdeckKey) {
    throw createError({
      status: 401,
    });
  }
 };