feat: Event Verify Type Signature, Aggressively Push Status Checks in Webhook

Author: maticzav

examples/webhook.ts

@@ -12,7 +12,7 @@ import { env } from './utils';
 env();
 
 const PORT = 3000;
-const WAIT_FOR_TASK_FINISH_TIMEOUT = 60_000;
+const WAIT_FOR_TASK_FINISH_TIMEOUT = 3 * 60_000;
 
 // Environment ---------------------------------------------------------------
 
@@ -57,7 +57,7 @@ async function main() {
 
           const event = await verifyWebhookEventSignature(
             {
-              evt: body,
+              body,
               signature,
               timestamp,
             },

src/lib/bin/commands/listen.ts

@@ -115,11 +115,20 @@ export const listen = new Command('listen')
         }
       }
 
-      if (queue.current.length === 0) {
-        return;
-      }
-
-      const promises = queue.current.map(async (update) => {
+      // Send Events
+
+      const events: (Webhook & { internal?: true })[] = [
+        // NOTE: We push the ping request on every tick to ensure the webhook is alive.
+        {
+          type: 'test',
+          timestamp: new Date().toISOString(),
+          payload: { test: 'ok' },
+          internal: true,
+        },
+        ...queue.current,
+      ];
+
+      const promises = events.map(async (update) => {
         const body = JSON.stringify(update);
 
         const signature = createWebhookSignature({
@@ -155,7 +164,9 @@ export const listen = new Command('listen')
       const delivery = await Promise.all(promises);
 
       // NOTE: We preserve the rejected updates so we can retry them.
-      queue.current = delivery.filter((d) => d.delivery === 'rejected').map((d) => d.update);
+      queue.current = delivery
+        .filter((d) => d.delivery === 'rejected' && d.update.internal !== true)
+        .map((d) => d.update);
     }, 1_000);
 
     console.log(`Forwarding updates to: ${localTargetEndpoint}!`);

src/lib/webhooks.ts

@@ -18,7 +18,7 @@ export type WebhookTestPayload = z.infer<typeof zWebhookTestPayload>;
 
 export const zWebhookTest = z.object({
   type: z.literal('test'),
-  timestamp: z.iso.datetime({ offset: true }),
+  timestamp: zWebhookTimestamp,
   payload: zWebhookTestPayload,
 });
 
@@ -66,14 +66,15 @@ export type Webhook = z.infer<typeof zWebhookSchema>;
  */
 export async function verifyWebhookEventSignature(
   evt: {
-    evt: string;
+    body: string | object;
     signature: string;
     timestamp: string;
   },
   cfg: { secret: string },
 ): Promise<{ ok: true; event: Webhook } | { ok: false }> {
   try {
-    const event = await zWebhookSchema.safeParseAsync(JSON.parse(evt.evt));
+    const json = typeof evt.body === 'string' ? JSON.parse(evt.body) : evt.body;
+    const event = await zWebhookSchema.safeParseAsync(json);
 
     if (event.success === false) {
       return { ok: false };

tests/lib/webhooks.test.ts

@@ -79,9 +79,18 @@ describe('webhooks', () => {
         timestamp,
       });
 
-      const valid = await verifyWebhookEventSignature(
+      const validJSON = await verifyWebhookEventSignature(
         {
-          evt: JSON.stringify(MOCK),
+          body: MOCK,
+          signature: signature,
+          timestamp,
+        },
+        { secret: 'secret' },
+      );
+
+      const validString = await verifyWebhookEventSignature(
+        {
+          body: JSON.stringify(MOCK),
           signature: signature,
           timestamp,
         },
@@ -90,14 +99,15 @@ describe('webhooks', () => {
 
       const invalid = await verifyWebhookEventSignature(
         {
-          evt: JSON.stringify(MOCK),
+          body: JSON.stringify(MOCK),
           signature: 'invalid',
           timestamp,
         },
         { secret: 'secret' },
       );
 
-      expect(valid.ok).toBe(true);
+      expect(validJSON.ok).toBe(true);
+      expect(validString.ok).toBe(true);
       expect(invalid.ok).toBe(false);
     });
   });