wirabasalamah/BizOne-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Handle Meta webhook signature on default endpoint in dev

Browse Source
This commit is contained in:
wirabasalamah
2026-05-23 08:28:35 +07:00
parent 8a7d0103ee
commit 77cc676f40
2 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
backend/src/webhooks/webhooks.service.ts
View File

@ -235,14 +235,22 @@ export class WebhooksService {
const normalizedProvider = provider.toLowerCase();
const metaSignature = this.readHeader(headers['x-hub-signature-256']);
const genericSecret = this.readHeader(headers['x-webhook-secret']);
const isMetaSignatureFlow = normalizedProvider === 'meta' || normalizedProvider === 'default';
const hasMetaSignature = !!metaSignature;
if (normalizedProvider === 'meta' && config.appSecret) {
if (isMetaSignatureFlow && config.appSecret && hasMetaSignature) {
if (!rawBody || !metaSignature) {
throw new UnauthorizedException('Missing meta webhook signature');
}
verifyMetaSignature(rawBody, metaSignature, config.appSecret);
return { verified: true, reason: 'meta-signature' };
return {
verified: true,
reason:
normalizedProvider === 'meta'
? 'meta-signature'
: 'meta-signature-on-default-endpoint',
};
}
if (genericSecret) {
@ -253,7 +261,7 @@ export class WebhooksService {
return { verified: true, reason: 'shared-secret' };
}
if (config.allowUnsigned) {
if (config.allowUnsigned || !config.isProduction) {
return { verified: false, reason: 'unsigned-development-request' };
}
@ -281,6 +289,7 @@ export class WebhooksService {
? storedJson.appSecret
: env.metaWebhookAppSecret,
allowUnsigned: env.webhookAllowUnsigned,
isProduction: env.isProduction,
subscriptions:
Array.isArray(storedJson.subscriptions) && storedJson.subscriptions.length > 0
? storedJson.subscriptions.filter((item): item is string => typeof item === 'string')

2
backend/src/webhooks/webhooks.utils.ts
View File

@ -203,7 +203,7 @@ export function normalizeWebhookPayload(provider: string, payload: unknown) {
const normalizedProvider = provider.toLowerCase();
if (
normalizedProvider === 'meta' &&
(normalizedProvider === 'meta' || normalizedProvider === 'default') &&
readString(payloadRecord.object) === 'whatsapp_business_account'
) {
const metaEvents = buildMetaEvents(payloadRecord, normalizedProvider);