feat: add signature verification to algolia webhook handler

app/api/algolia-webhook/route.ts

@@ -2,23 +2,31 @@ import algolia from "algoliasearch"
 import { env } from "env.mjs"
 import { NextRequest, NextResponse } from "next/server"
 import { z } from "zod"
+import { verifyWebhookSignature } from "@hygraph/utils"
 
 const client = algolia(env.ALGOLIA_API_ID, env.ALGOLIA_API_KEY)
 const index = client.initIndex("articles")
 
 export async function POST(req: NextRequest) {
- const authHeader = req.headers.get("authorization")
- if (!authHeader || authHeader !== env.HYGRAPH_WEBOOK_SECRET)
- return NextResponse.json({ message: "Unauthorized" }, { status: 401 })
+ const authHeader = req.headers.get("gcms-signature")
+ if (!authHeader) return NextResponse.json({ message: "Unauthorized" }, { status: 401 })
+
  try {
  const publishedData = await req.json()
 
+ const isSignatureValid = verifyWebhookSignature({
+ body: publishedData,
+ signature: authHeader,
+ secret: env.HYGRAPH_WEBOOK_SECRET,
+ })
+ if (!isSignatureValid) return NextResponse.json({ message: "Unauthorized" }, { status: 401 })
+
  const parseResult = bodySchema.safeParse(publishedData)
  if (!parseResult.success) return NextResponse.json({ message: "Bad Request" }, { status: 400 })
 
- const { id: objectID, ...data } = parseResult.data.data.PUBLISHED
+ // const { id: objectID, ...data } = parseResult.data.data.PUBLISHED
 
- await index.saveObject({ objectID, ...data })
+ // await index.saveObject({ objectID, ...data })
 
  return NextResponse.json({ message: "ok" }, { status: 201 })
  } catch (err) {
@@ -27,5 +35,5 @@ export async function POST(req: NextRequest) {
 }
 
 const bodySchema = z.object({
- data: z.object({ PUBLISHED: z.record(z.string(), z.any()).and(z.object({ id: z.string() })) }),
+ data: z.object({ localizations: z.array(z.any()) }),
 })

package.json

@@ -24,6 +24,7 @@
  "codegen": "graphql-codegen --require dotenv/config --config codegen.ts"
  },
  "dependencies": {
+ "@hygraph/utils": "^1.2.1",
  "@next/bundle-analyzer": "^13.3.0",
  "@radix-ui/react-accordion": "^1.1.1",
  "@radix-ui/react-checkbox": "^1.0.3",
@@ -80,6 +81,7 @@
  "@testing-library/jest-dom": "^5.16.5",
  "@testing-library/react": "^14.0.0",
  "@total-typescript/ts-reset": "^0.5.0",
+ "@types/lodash": "^4.14.197",
  "@types/node": "^18.0.0",
  "@types/react": "^18.0.37",
  "@types/react-dom": "^18.0.11",
@@ -118,4 +120,4 @@
  "node": ">=18.15.0"
  },
  "packageManager": "[email protected]"
-}
+}

utils/slateToText.ts

@@ -0,0 +1,11 @@
+import { isArray, isObject, isString, values } from "lodash"
+
+export function slateToText(obj: unknown): string {
+ if (isObject(obj))
+ return values(obj)
+ .map(slateToText)
+ .reduce((acc, val) => acc + val, "")
+ if (isArray(obj)) return obj.map(slateToText).reduce((acc, val) => acc + val, "")
+ if (isString(obj)) return obj
+ return ""
+}

yarn.lock

@@ -3247,6 +3247,11 @@
  resolved "https://registry.yarnpkg.com/@humanwhocodes/object-schema/-/object-schema-1.2.1.tgz#b520529ec21d8e5945a1851dfd1c32e94e39ff45"
  integrity sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==
 
+"@hygraph/utils@^1.2.1":
+ version "1.2.1"
+ resolved "https://registry.yarnpkg.com/@hygraph/utils/-/utils-1.2.1.tgz#31bf3a007ce388897f891c63b79e0de85978962b"
+ integrity sha512-Eu4xKWAAzAhWUcgxSzgL+6o5alCItry1Jo0LtsnQ3q3/EaGHeI3Z/kMuGvsFf8zrhyAljeSHC4otwRc5ibMinQ==
+
 "@isaacs/cliui@^8.0.2":
  version "8.0.2"
  resolved "https://registry.yarnpkg.com/@isaacs/cliui/-/cliui-8.0.2.tgz#b37667b7bc181c168782259bab42474fbf52b550"
@@ -7034,6 +7039,11 @@
  resolved "https://registry.yarnpkg.com/@types/lodash/-/lodash-4.14.195.tgz#bafc975b252eb6cea78882ce8a7b6bf22a6de632"
  integrity sha512-Hwx9EUgdwf2GLarOjQp5ZH8ZmblzcbTBC2wtQWNKARBSxM9ezRIAUpeDTgoQRAFB0+8CNWXVA9+MaSOzOF3nPg==
 
+"@types/lodash@^4.14.197":
+ version "4.14.197"
+ resolved "https://registry.yarnpkg.com/@types/lodash/-/lodash-4.14.197.tgz#e95c5ddcc814ec3e84c891910a01e0c8a378c54b"
+ integrity sha512-BMVOiWs0uNxHVlHBgzTIqJYmj+PgCo4euloGF+5m4okL3rEYzM2EEv78mw8zWSMM57dM7kVIgJ2QDvwHSoCI5g==
+
 "@types/long@^4.0.1":
  version "4.0.2"
  resolved "https://registry.yarnpkg.com/@types/long/-/long-4.0.2.tgz#b74129719fc8d11c01868010082d483b7545591a"