feat(api): add clerk webhook security check

apps/api/package.json

@@ -11,7 +11,8 @@
     "@hono/clerk-auth": "^2.0.0",
     "@hono/zod-openapi": "^0.16.2",
     "@scalar/hono-api-reference": "^0.5.149",
-    "hono": "^4.6.3"
+    "hono": "^4.6.3",
+    "svix": "^1.36.0"
   },
   "devDependencies": {
     "@types/bun": "latest"

apps/api/src/user/index.ts

@@ -1,5 +1,6 @@
-import { OpenAPIHono, type z } from '@hono/zod-openapi'
+import { OpenAPIHono } from '@hono/zod-openapi'
 import { HTTPException } from 'hono/http-exception'
+import { Webhook } from 'svix'
 import type { Variables } from '..'
 import get from './get'
 import webhook from './webhook'
@@ -21,7 +22,11 @@ app.openapi(get.route, async (c) => {
 
 app.openapi(webhook.route, async (c) => {
   try {
-    const result = await webhook.func({ payload: await c.req.json() })
+    const wh = new Webhook(import.meta.env.CLERK_WEBHOOK_SECRET as string)
+    const payload = await c.req.json()
+    const headers = c.req.header()
+    const verifiedPayload = wh.verify(JSON.stringify(payload), headers)
+    const result = await webhook.func({ payload: verifiedPayload })
     return c.json(result, 200)
   } catch (error) {
     if (error instanceof HTTPException) {

apps/api/tsconfig.json

@@ -1,7 +1,27 @@
 {
   "compilerOptions": {
-    "strict": true,
+    // Enable latest features
+    "lib": ["ESNext"],
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleDetection": "force",
     "jsx": "react-jsx",
-    "jsxImportSource": "hono/jsx"
+    "allowJs": true,
+
+    // Bundler mode
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "noEmit": true,
+
+    // Best practices
+    "strict": true,
+    "skipLibCheck": true,
+    "noFallthroughCasesInSwitch": true,
+
+    // Some stricter flags
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noPropertyAccessFromIndexSignature": true
   }
 }