checkWebhook

@rotorsoft/act-root / act-http/src/receiver / checkWebhook

Function: checkWebhook()

checkWebhook(headers, body, options): Promise<CheckResult>

Defined in: libs/act-http/src/receiver/check.ts:70

Framework-agnostic receiver check: verify the signature (when a secret is configured), extract the Idempotency-Key, and claim it on the store. Returns the request's fate as a discriminated union the per-framework adapter translates into the framework's idiomatic 4xx response or context injection.

Order of checks (matters):

Verify signature + timestamp window (when secret is set). Rejecting bad signatures before extracting and claiming the key keeps attacker-supplied keys out of the dedup store — otherwise a flood of spoofed POSTs would pollute the LRU.
Extract the Idempotency-Key. Missing → reject with 400.
Claim the key on the store. If already seen, return { ok: true; deduped: true } so the framework adapter can short-circuit the handler without re-running side effects.

The dedup store may be sync (InMemoryIdempotencyStore) or async (durable adapters like a future PostgresIdempotencyStore); the core awaits unconditionally so both shapes compose cleanly.

Parameters

headers

Record<string, string | string[] | undefined>

body

string

options

CheckWebhookOptions

Returns

Promise<CheckResult>

Function: checkWebhook()

Parameters​

headers​

body​

options​

Returns​

Parameters

headers

body

options

Returns