-
Notifications
You must be signed in to change notification settings - Fork 44
/
webhook-signature-express-middleware.js
67 lines (52 loc) · 2.38 KB
/
webhook-signature-express-middleware.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
// This example show how to verify the authenticity of a MessageBird webhook.
const mbWebhookSignatureJwt = require('messagebird/lib/webhook-signature-jwt');
const express = require('express');
const secret = '<YOUR SIGNING KEY>';
const app = express();
// If the node server is behind a proxy, you must trust the proxy to infer the correct protocol and hostname.
app.set('trust proxy', () => true);
// Replace <YOUR_SIGNING_KEY> with your actual signing key.
const verifySignature = new mbWebhookSignatureJwt.ExpressMiddlewareVerify(secret);
// Retrieve the raw body as a buffer.
app.use(express.raw({ 'type': '*/*' }));
// Verified webhook.
app.get('/webhook', verifySignature, (req, res) => {
res.send('verified');
});
app.post('/webhook', verifySignature, (req, res) => {
res.send('verified');
});
// If the application is sitting behind an uncooperative or untrusted proxy not setting headers like 'x-forwarded-proto', 'forwarded', etc.
// it's possible to only perform a partial verification covering:
// - the payload of the request: was the payload altered?
// - the origin of the request: is the request coming from MessageBird?
//
// However it doesn't verify if the URL was altered or not.
//
// This shouldn't be used in a production system and when used no query parameters should be trusted.
const skipUrlOpts = new mbWebhookSignatureJwt.VerifyOptions();
skipUrlOpts.validateUrl = false;
let skipUrlVerifySignature = new mbWebhookSignatureJwt.ExpressMiddlewareVerify(secret, skipUrlOpts);
app.get('/webhook-skip-url-verification', skipUrlVerifySignature, (req, res) => {
res.send('partialy verified');
});
// It's also possible to protect further by ensuring the uniqueness of the JWT ID (jti).
// By default jti is required but always considered valid.
//
// Do note that the following implementation isn't production-grade and only for demonstration purposes.
const verifyJtiOpts = new mbWebhookSignatureJwt.VerifyOptions();
const seenJtis = new Set();
skipUrlOpts.jwtVerifyJti = (jti) => {
if (seenJtis.has(jti)) {
return false;
}
seenJtis.add(jti);
return true;
};
const verifyJtiVerifySignature = new mbWebhookSignatureJwt.ExpressMiddlewareVerify(secret, verifyJtiOpts);
app.get('/webhook-verify-jti', verifyJtiVerifySignature, (req, res) => {
res.send('verified with jti');
});
app.listen(8000, () => {
console.log('Example webhooks hanlder listening at http://localhost:8000');
});