|
| 1 | +const crypto = require("node:crypto"); |
| 2 | + |
1 | 3 | const ApiError = require("./error"); |
2 | 4 |
|
| 5 | +/** |
| 6 | + * @see {@link validateWebhook} |
| 7 | + * @overload |
| 8 | + * @param {object} requestData - The request data |
| 9 | + * @param {string} requestData.id - The webhook ID header from the incoming request. |
| 10 | + * @param {string} requestData.timestamp - The webhook timestamp header from the incoming request. |
| 11 | + * @param {string} requestData.body - The raw body of the incoming webhook request. |
| 12 | + * @param {string} requestData.secret - The webhook secret, obtained from `replicate.webhooks.defaul.secret` method. |
| 13 | + * @param {string} requestData.signature - The webhook signature header from the incoming request, comprising one or more space-delimited signatures. |
| 14 | + */ |
| 15 | + |
| 16 | +/** |
| 17 | + * @see {@link validateWebhook} |
| 18 | + * @overload |
| 19 | + * @param {object} requestData - The request object |
| 20 | + * @param {object} requestData.headers - The request headers |
| 21 | + * @param {string} requestData.headers["webhook-id"] - The webhook ID header from the incoming request |
| 22 | + * @param {string} requestData.headers["webhook-timestamp"] - The webhook timestamp header from the incoming request |
| 23 | + * @param {string} requestData.headers["webhook-signature"] - The webhook signature header from the incoming request, comprising one or more space-delimited signatures |
| 24 | + * @param {string} requestData.body - The raw body of the incoming webhook request |
| 25 | + * @param {string} secret - The webhook secret, obtained from `replicate.webhooks.defaul.secret` method |
| 26 | + */ |
| 27 | + |
| 28 | +/** |
| 29 | + * Validate a webhook signature |
| 30 | + * |
| 31 | + * @returns {boolean} - True if the signature is valid |
| 32 | + * @throws {Error} - If the request is missing required headers, body, or secret |
| 33 | + */ |
| 34 | +function validateWebhook(requestData, secret) { |
| 35 | + let { id, timestamp, body, signature } = requestData; |
| 36 | + const signingSecret = secret || requestData.secret; |
| 37 | + |
| 38 | + if ( |
| 39 | + requestData && |
| 40 | + requestData.headers && |
| 41 | + typeof requestData.body === "string" |
| 42 | + ) { |
| 43 | + id = requestData.headers["webhook-id"]; |
| 44 | + timestamp = requestData.headers["webhook-timestamp"]; |
| 45 | + signature = requestData.headers["webhook-signature"]; |
| 46 | + body = requestData.body; |
| 47 | + } |
| 48 | + |
| 49 | + if (!id || !timestamp || !signature) { |
| 50 | + throw new Error("Missing required webhook headers"); |
| 51 | + } |
| 52 | + |
| 53 | + if (!body) { |
| 54 | + throw new Error("Missing required body"); |
| 55 | + } |
| 56 | + |
| 57 | + if (!signingSecret) { |
| 58 | + throw new Error("Missing required secret"); |
| 59 | + } |
| 60 | + |
| 61 | + const signedContent = `${id}.${timestamp}.${body}`; |
| 62 | + |
| 63 | + const secretBytes = Buffer.from(signingSecret.split("_")[1], "base64"); |
| 64 | + |
| 65 | + const computedSignature = crypto |
| 66 | + .createHmac("sha256", secretBytes) |
| 67 | + .update(signedContent) |
| 68 | + .digest("base64"); |
| 69 | + |
| 70 | + const expectedSignatures = signature |
| 71 | + .split(" ") |
| 72 | + .map((sig) => sig.split(",")[1]); |
| 73 | + |
| 74 | + return expectedSignatures.some( |
| 75 | + (expectedSignature) => expectedSignature === computedSignature |
| 76 | + ); |
| 77 | +} |
| 78 | + |
3 | 79 | /** |
4 | 80 | * Automatically retry a request if it fails with an appropriate status code. |
5 | 81 | * |
@@ -68,4 +144,4 @@ async function withAutomaticRetries(request, options = {}) { |
68 | 144 | return request(); |
69 | 145 | } |
70 | 146 |
|
71 | | -module.exports = { withAutomaticRetries }; |
| 147 | +module.exports = { validateWebhook, withAutomaticRetries }; |
0 commit comments