/webhook-verifier

A lightweight tool for verifying the validity of webhook payloads

Primary LanguageTypeScriptBSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

Webhook verifier

A lightweight JavaScript tool for verifying the validity of incoming webhook payloads from the Chec API. This script is designed to run in a Node.js context, e.g. a serverless function/Lambda.

CI status Version Downloads/week License
commercejs.com | @commercejs | Slack

Installation

npm install @chec/webhook-verifier
# or
yarn add @chec/webhook-verifier

Usage

Import verifyWebhook and use it at the start of your handler method. Provide your Chec webhook signing key as the second argument (available in your Chec Dashboard):

import { verifyWebhook } from '@chec/webhook-verifier';

module.exports = function (request) {
    verifyWebhook(request, process.env.CHEC_WEBHOOK_SIGNING_KEY);

    // ... continue with your logic
}

The verifyWebhook method signature is:

interface Payload {
    signature?: string,
    created: number,
}

export function verifyWebhook(data: Payload, signingKey: string, maxAgeSeconds: number = 300): void {
    // ...
}

The verifyWebhook method will throw an error if any checks fail:

  • The webhook signature is missing, or the signing key is missing
  • The webhook signature was invalid
  • The request is older than 5 minutes (by default)

License

This repository is available under a BSD-3-Clause license.