-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwebhooks-server.js
More file actions
105 lines (86 loc) · 3.21 KB
/
webhooks-server.js
File metadata and controls
105 lines (86 loc) · 3.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
// Express server that receives and verifies Postcard.bot webhook events
// Usage: WEBHOOK_SECRET=whsec_your_secret node webhooks-server.js
//
// 1. First create a webhook via the API or MCP:
// curl -X POST https://postcard.bot/api/v1/webhooks \
// -H "Authorization: Bearer pk_live_your_key" \
// -H "Content-Type: application/json" \
// -d '{"url":"https://your-server.com/webhooks","events":["postcard.sent","postcard.delivered"]}'
//
// 2. Save the "secret" from the response
// 3. Run this server with that secret
const express = require("express");
const crypto = require("crypto");
const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;
const PORT = process.env.PORT || 3001;
if (!WEBHOOK_SECRET) {
console.error("Set WEBHOOK_SECRET environment variable");
console.error("You get this when creating a webhook via the API");
process.exit(1);
}
const app = express();
// Need raw body for signature verification
app.use("/webhooks", express.raw({ type: "application/json" }));
function verifySignature(rawBody, signatureHeader) {
if (!signatureHeader) return false;
// Format: t=timestamp,v1=base64signature
const parts = {};
signatureHeader.split(",").forEach((part) => {
const [key, value] = part.split("=", 2);
parts[key] = value;
});
const timestamp = parts.t;
const signature = parts.v1;
if (!timestamp || !signature) return false;
// Reject timestamps older than 5 minutes
const age = Math.abs(Date.now() - parseInt(timestamp));
if (age > 5 * 60 * 1000) {
console.warn("Webhook timestamp too old:", age, "ms");
return false;
}
// Verify HMAC-SHA256
const payload = `${timestamp}.${rawBody}`;
const expected = crypto
.createHmac("sha256", WEBHOOK_SECRET)
.update(payload)
.digest("base64");
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
app.post("/webhooks", (req, res) => {
const signature = req.headers["x-postcardbot-signature"];
const rawBody = req.body.toString();
if (!verifySignature(rawBody, signature)) {
console.error("Invalid webhook signature");
return res.status(401).json({ error: "Invalid signature" });
}
const event = JSON.parse(rawBody);
console.log(`Webhook received: ${event.event}`);
console.log(` Postcard: ${event.postcard_id}`);
console.log(` Status: ${event.status}`);
console.log(` To: ${event.to?.name}, ${event.to?.city}`);
console.log(` Time: ${event.timestamp}`);
// Handle different event types
switch (event.event) {
case "postcard.created":
console.log(" -> Postcard created, will be printed soon");
break;
case "postcard.sent":
console.log(" -> Postcard printed and mailed!");
break;
case "postcard.delivered":
console.log(" -> Postcard delivered!");
break;
case "postcard.failed":
console.log(" -> Postcard failed:", event.error);
break;
case "postcard.returned":
console.log(" -> Postcard returned to sender");
break;
}
res.json({ received: true });
});
app.listen(PORT, () => {
console.log(`Webhook server listening on port ${PORT}`);
console.log(`POST http://localhost:${PORT}/webhooks`);
console.log("\nUse a tunnel (ngrok, cloudflared) to expose this to the internet.");
});