( request: Request, expectedToken: string, secretHeaderName?: string )
| 71 | * Used by generic webhooks, Google Forms, and the default handler. |
| 72 | */ |
| 73 | export function verifyTokenAuth( |
| 74 | request: Request, |
| 75 | expectedToken: string, |
| 76 | secretHeaderName?: string |
| 77 | ): boolean { |
| 78 | if (secretHeaderName) { |
| 79 | const headerValue = request.headers.get(secretHeaderName.toLowerCase()) |
| 80 | return !!headerValue && safeCompare(headerValue, expectedToken) |
| 81 | } |
| 82 | |
| 83 | const authHeader = request.headers.get('authorization') |
| 84 | if (authHeader?.toLowerCase().startsWith('bearer ')) { |
| 85 | const token = authHeader.substring(7) |
| 86 | return safeCompare(token, expectedToken) |
| 87 | } |
| 88 | |
| 89 | return false |
| 90 | } |
| 91 | |
| 92 | /** |
| 93 | * Skip events whose `body.type` is not in the `providerConfig.eventTypes` allowlist. |
no test coverage detected