feat: add webhook verification code to goland example

leggetter · leggetter · commit bae0f7216961 · 2024-09-23T13:14:22.000+01:00
diff --git a/go/inbound/main.go b/go/inbound/main.go
@@ -1,6 +1,11 @@
 package main
 
 import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io"
 	"log"
@@ -10,6 +15,28 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
+func verifyPayload(jsonBody string, headers http.Header) bool {
+	secret := os.Getenv("HOOKDECK_WEBHOOK_SECRET")
+	if secret == "" {
+		log.Println("No HOOKDECK_WEBHOOK_SECRET found in environment variables. Skipping verification.")
+		return true
+	}
+
+	hmacHeader := headers.Get("x-hookdeck-signature")
+	hmacHeader2 := headers.Get("x-hookdeck-signature-2")
+
+	hash := hmac.New(sha256.New, []byte(secret))
+	hash.Write([]byte(jsonBody))
+	expectedHash := base64.StdEncoding.EncodeToString(hash.Sum(nil))
+
+	if expectedHash == hmacHeader ||
+		(hmacHeader2 != "" && expectedHash == hmacHeader2) {
+		return true
+	}
+
+	return false
+}
+
 func main() {
 	r := gin.Default()
 	r.POST("/*path", func(c *gin.Context) {
@@ -23,7 +50,24 @@ func main() {
 			return
 		}
 
-		log.Printf("webhook_received: %v", jsonBody)
+		verified := verifyPayload(jsonBody, c.Request.Header)
+
+		if !verified {
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"message": "invalid payload",
+			})
+			return
+		}
+
+		var prettyJSON bytes.Buffer
+		if err := json.Indent(&prettyJSON, []byte(jsonBody), "", "  "); err != nil {
+			log.Printf("Failed to format JSON: %v", err)
+			c.JSON(http.StatusInternalServerError, gin.H{
+				"message": "failed to format JSON",
+			})
+			return
+		}
+		log.Printf("webhook_received: %v", prettyJSON.String())
 
 		c.JSON(http.StatusOK, gin.H{
 			"status": "ACCEPTED",
@@ -32,7 +76,7 @@ func main() {
 
 	port := os.Getenv("PORT")
 	if port == "" {
-		port = "3030"
+		port = "3032"
 	}
 
 	fmt.Printf("🪝 Server running at http://localhost:%s", port)
