From 971da61e7b6b4b3fa67e521edf347264207842ae Mon Sep 17 00:00:00 2001
From: Lars Hampe <hello@hashdot.co>
Date: Mon, 30 Sep 2024 20:57:20 +0200
Subject: [PATCH] feat(api): add clerk webhook security check

---
 apps/api/package.json      |   3 ++-
 apps/api/src/user/index.ts |   9 +++++++--
 apps/api/tsconfig.json     |  24 ++++++++++++++++++++++--
 bun.lockb                  | Bin 394152 -> 398856 bytes
 4 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/apps/api/package.json b/apps/api/package.json
index dc8c48e..1323cba 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -11,7 +11,8 @@
     "@hono/clerk-auth": "^2.0.0",
     "@hono/zod-openapi": "^0.16.2",
     "@scalar/hono-api-reference": "^0.5.149",
-    "hono": "^4.6.3"
+    "hono": "^4.6.3",
+    "svix": "^1.36.0"
   },
   "devDependencies": {
     "@types/bun": "latest"
diff --git a/apps/api/src/user/index.ts b/apps/api/src/user/index.ts
index c3ba76c..26e3cf6 100644
--- a/apps/api/src/user/index.ts
+++ b/apps/api/src/user/index.ts
@@ -1,5 +1,6 @@
-import { OpenAPIHono, type z } from '@hono/zod-openapi'
+import { OpenAPIHono } from '@hono/zod-openapi'
 import { HTTPException } from 'hono/http-exception'
+import { Webhook } from 'svix'
 import type { Variables } from '..'
 import get from './get'
 import webhook from './webhook'
@@ -21,7 +22,11 @@ app.openapi(get.route, async (c) => {
 
 app.openapi(webhook.route, async (c) => {
   try {
-    const result = await webhook.func({ payload: await c.req.json() })
+    const wh = new Webhook(import.meta.env.CLERK_WEBHOOK_SECRET as string)
+    const payload = await c.req.json()
+    const headers = c.req.header()
+    const verifiedPayload = wh.verify(JSON.stringify(payload), headers)
+    const result = await webhook.func({ payload: verifiedPayload })
     return c.json(result, 200)
   } catch (error) {
     if (error instanceof HTTPException) {
diff --git a/apps/api/tsconfig.json b/apps/api/tsconfig.json
index c442b33..59a229d 100644
--- a/apps/api/tsconfig.json
+++ b/apps/api/tsconfig.json
@@ -1,7 +1,27 @@
 {
   "compilerOptions": {
-    "strict": true,
+    // Enable latest features
+    "lib": ["ESNext"],
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleDetection": "force",
     "jsx": "react-jsx",
-    "jsxImportSource": "hono/jsx"
+    "allowJs": true,
+
+    // Bundler mode
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "noEmit": true,
+
+    // Best practices
+    "strict": true,
+    "skipLibCheck": true,
+    "noFallthroughCasesInSwitch": true,
+
+    // Some stricter flags
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "noPropertyAccessFromIndexSignature": true
   }
 }
\ No newline at end of file
diff --git a/bun.lockb b/bun.lockb
index 5084c700680c535e2a7b4f709e7d8bfb1aa1d2bf..78b76b2e754bb16c1cd4daa1b2af59e14d06ca90 100755
GIT binary patch
delta 6148
zcmdT|X;f6#vOcE=q%kUrMp3~LC+tQLXpli95J7PYDryXZihu$wGzyw1;*4?b=yr}0
zF^Z^RkQQTtOo|~2PDq?J&WaKBa&IKj`&IYu*je|-eQUix@9jlVRbSPvQ)k!dbM~(N
zD>|&q>9Aha*J8txs2-J*=6%;#Ry}!RT}$sJZDz0S-72DII-4imB>hKfI}3rvl?`EC
zBu!PhsmJWnv~y!q3G3$}3JO73^aXee@C5Ld;9bG3z{h!t!Uy2P!AZZ#dCx(j&<1*P
zlB+w#X$Sx2(5*QCT`dZ&p~q+vG-N*vy(9EjUWV(WEeiG)g?0eE!0CeXW1=Fb!!bsq
znH4!TE@~$akmn-`Hn4vMZVw*mYrN1J*sY;IgHH231{?V*a7uK#CRsTxQX7?^F)+c`
z&xprI&Q@xs=AW`ZZWoh~JLLNP{SQv;a-TLTw>&yIGxwcU)BM`u4KEyuGY7h#o!@a>
zV_;R8>+`E?AAF~Odu)AU*6!nW(#5T9D_DmbkJ`QcZhko@xbLt*Gw#%FJ-YOxt6Pp%
zw<^mjAD>&`W?7Z!blo#_ZI1(wL-QAT_kXT%Mph#3u&1t@k0XodA}Xx0SY8~J!(s(X
zZ(W3sr91-`e_ec_m%Iv6fKD0UW!VZ#?+tI3xKuKLyjny883II#xfZ&H7)Qh0O!Cty
zKk-sL;xpvB#6Y#&9VH9V)i3b2gfIZp1YP2AwLA}+udY78OYwpv;4+<auv(!)r3OP2
zb<RO*MLaZ`Bh%#$Q%iPwu_ygRUxk3;(G3VX=RCC{9NI90*6@*9vfrC!JHqEaP#2&Q
zU1GUf(H>>=fF{@F4pmD=`LLP&;Zp%L$T%}VEpLI6j@2nY@>0Y>GG^2esJ6_8<_|BH
z=x<yA$s1pmt;GC~QS<;~)Ihc3D`>P(Qk^rj8fbJyqh^W601qtJf}oM7M3)<&RxIT<
znXVx~EjjL|pXnstwR5(_>J~H;1gcOGxCH!ra2n>E@E-_gYetCe)5u)H-To(>rkC;X
z6?`6X!cTMEoXdb$ar;@$tHJ3Jt7(SP(ZmY?DDNxa^psrXj@LQA$@y(?ns^7C#+_#R
zZBAm||JR%M{omdE3ePxE?-?h_`8e&7gUzLWN|oz#+oUsHmP9nYQE$rbaqdfHX86~0
zlus8F<i~0{1<i=)UD@)b-L~|vS6<6_I^1tT`@Rha8b-eSc*Zp>swli|^%h)D1>i&W
zX}`$}dqys}->R{x;)3tNGXIq2M-P_m-&&kjc-1~Lpfv53Pw2X=Tekh*N^^s9?^TBQ
z&Uw6Y_9MrBwtwpVb%K8eTaYj5kk+qHOUsl#i6gFfxFqKN*8S~Zo5t%G?|eHn<KY0$
zwxiE)4oup0b%p$S;D{Mbj%)wvR}>YpJT>~!?Aeu9mZ+V+SR$IGS7e@E+f}>QMYjFH
z{rjOiRTpw|&Zz6px%Vn=)Gw|7*Zsl~hxcuF-(SDD>(91}XL@W4?2+>LRp>VPjhd`}
zdxCuY^WsCY_b_Dv(mQlgT0SIl*q&>L_66m6Z*{k~X`i)lV@AxB(ERAz*2f-PX`C^)
z|B`Oo$3KsHy5n9OTc4(hd)KeFD9@CCn{#em{7|#>zBf;=&HkzFM(&Kc?Y(i!xrr{X
zGbfDm`0VbpClzOVb?;d6L9>z_pE+$f;(pjx2nc(+BP8|mri0dl>=GNdADQ^Na8=*B
zoQ3QLrKe3Fvmm&5j{d{wqrR7C7D$D>w#E8gH@4ff@GSY`lj_^GS+lwqDmJEP<o$BV
z?$hpzuN+CW&VS-kU3WHM%{MOfFU->W!92a(J)X}$KX7W~k?V8S4<Eg1X3_CN-o~oH
z^Dn;2o&HBx)sHXp{l#;wkJzqkkv3vThHCnz?CQRnn%*ZCu{OW1P;ILl#nv1}dUfl2
z-x@3o&HmM~eBaAe=bHzm#h*!Qnb~yI=7#Mq%S(N3w7=7FK+%@+)-S{Fe)(!$cu`r!
z@)t4XRb4i{+Ws<R(mb>Dip|qg&sm-KWYg0Fp||`FPOdFqXK!Jnh$;L0&EX$=DXQM=
zE4o$MwxG7Ct8Hc2H1C=TDYZ|Z9S;kevUHoB+ZXem)I~=eVLpXO@9WRTba;3FP^7#^
zV{J;G=BL{DW`*s)yxB6W`ER~~-_P<)%X#)=`^37yovR+Imo~=kU1k;g)4Mpo$;myd
z$Ho>t#w-7?pGJv!dY#vwI?X0k+;ys`Njwq1LsREbF#JXL5qDobzB46c`Js%hq3-wQ
zwz9U3Qy*D&yX0lF<abT$)~#@B-F#a^tJULszJAB*kzUB<qH6!Wxx*f+yQ@|&?VPhG
zV)w(!KkKu49P7C?XZpTYHZ%2(L0<-YAHQtB;{%)NH`_gkx)L#~-RO1N)Q)*?28;|g
zORtRmk|zmc`}L9*%qL$mT&!Rj`2Z#y15i)EY35k~z_JLy&H?~u*kb_VPi)9huqw8d
z*w3ti*jW}_2zHL`Ay&<PCsxD8=)umj1H>*c@fg@eHj&sRmP_n1Qxt*K>LZIJLqiHn
zB{ET8y<XZ&)W2wy+>*SPt!0G#-~PY3R5JFzXS~>OSD`App9K;tzn_f{${!b5|6=Lj
zz_;&=gWjqmVM5IW7vpC4FP%Pvt{fZ1eJDyN`YvLOX1T>u8=o=2$dyohJ`E$3yVLAg
zj*aCQsTz)rW8z7K7|%`EPYX}^6~j1&EvfJu$0l$L`(?qAXEBkDp%9a}30rZYlDmJ(
zG3;`MDZuC^Cj)B_-U{Raj561<Jrp8^yJPn)#DQp}0wWjf*aa;C81p%X&9$)HfC$1D
ztbsx-;32R-7dCLyLXLe1eGA9ZI7XRdacmJAQi2fa+++*5mYWuH4Cer0Az!*B9P0!u
zgs;U?wt+${<0d<p9`dzV&M}+>glQaG!LcsDzTqKOvO5$agPXd+w1hTH7^{HMT6703
z1BOF{u$uezfP5M<jWx`<6d~4flLH_vH?8AXFJK-VTMtfQdxN|n)ADa*=@dc-mAv|b
zq$FT$2B$*y1IakXIOYgU4w<U8g`KAm+n`c(C8!tzRb~fwS3%wjj4HE}V@{BXXzXI$
z$`ImfZo)A{sN<`@n`79Y3k~Fpv4>*=Auom>RV$MvQV7~2P||Lo30P?=+HsCyQ!Py7
zt54r*@>7F`BSdHL6Rd<n(07s&^#n!p0$$|qgMc02Aue$YrwbvQW0zU$a)hYmCLfp%
zanlu!;jkdw<%O=}7!EN)A;*4Ukrd)4Hw}U5DP$VAIOY%eCyw3b*hj#uA@>2l!*VIa
zU2X~lWCfXu`zyyjhOB^0#k~hkl^Y7OfK0`Gz{CoKc*xy@0p*bo#v_j593_+)5J7m%
zvEk5Z15e`#8$%%|dHe|@KwV*S1%J-nM?#L~>+>5hy22>XF{}lxNdwzMAzpI#F@R2R
z(<_dB0&EH}TBp|>3x!NKLO1yj)<7W|xoI3AI$6;8C&$J^ZUlvZ{>8B{vUBWrHslmS
zyy2#afM@cgn>aQJ*eqalLw|7WQ^*P2?@zV?A=2K$MECd^D3~v&faK{(3<nhe8w)OS
zYzkyL|Im<dECTWy5M?dpSR~{%km-^#j!lJJh<FrNZp4}kedwXZ@Vm!Ur={b?e3pJ%
zdd-2pCUkJC1pNe}!yug}kAez8deAX_e5JIL)UFmX9p>mDSPr7|<p~g-JCEx(RY~(@
zt?4XBKVUi>o&x=#A6FxFk|^lWC<dL>FS{TeD2mrv(M73NyvdZ8q+a4hee5MdujzMQ
zmi89K8?2%h`YrZ*t<<p-o&TDU`UkiJJ??8ZJ+>IHr84GpTI!&WxFS7apLPx?{Wi)$
zWuQV(DTwxOCqeWw(1YkjaSU_<L@xvS)zg=nwxK_QDnK-!-nFMdXF!!8`n*?x$Yzha
znfO_w9x5atw`%U-2Tt#TK_Gey*MKgA&V#<e<O|?bZ+g8Dr|J+V>O+OZket^SHcEFM
zZYGAisXSG#`bk-`0^7g3W2OdCcU;yuOnog=Yeyo6JF5n$&>AsyzD&&@SX@;uD%bbD
zF;jcUFlQjmF?HEYjV4%ttI}XHHRepcDZ?aJ72e9G7M-a}1&fQyS%vqysflOmV;SZc
zk~6jMOdTx49Cw;yYVetQT(AsGQ@N7K)ax^~yI^uN-fL9CG|lwbgy^MfHjTZ#Y(r67
zF?;}0K-#8$ps6J$5f>r>O54;iG&RlWLdIykC%9<iwNX>tmXGz6ur9^29-U2{!Q$wv
z+pCK*`eTAKYJ`tZur~`YmW4>Z@?kl}vJR3wA9ku(wn!4`%Yse<f9A_JpOkHrcnoGP
zB{CPus=;hV33OjSCMlJLG#`E5SpCr#WbB~Cq9fCm${Y;Pw_8eOqSc}cMtg$Iip(;Z
zKC?`&@EArNQzxYpF{QI=pgVF;j-KzQO{Q*TT<lb*spvMkyGCi<m9vvH@v+*d8Ijs#
zr8Xwg#m(I?YerP^w3s<baqLBqyxSlM%Gr@g+9(A5OGacjm9rso;+&|YdD`S8EOYFP
zc}Y=;b7GUCw946<B-Ywj-kDjil*?>QP%?s;yCky>ZgL0vzsG>j-vB1M%6qBbr)Ii4
zL!L@Qap)EkG}EJ$1}r5eGC3vMD6^8YvQAyh5llB%5x||5l*+q1z7GJG_lnX*r8X`i
zpGHeVQC08t_c3XS3{M}WloB;Hc6yw0nkHdxR1(vq$-DOc8>EfZBxq@_xt{@K=RcP_
zw4kRHW@5?#to22C4_mWh!D6PdwG-tIc4lRT*-TU7N6yk0%DZ*^k4FKH#%F@1-;_J(
z4>rl?%B{Y$G46UQZJ48I;lM_S7M-lD+Zw^$ZCSR&q7z#qTI5^Ra8PJx^wdZ!oUMX*
LFF&;%dA|KOz4$yN

delta 3652
zcmeH~c~n$&6vuyW83Ys+(ZmH%b3Gu7S~CbJxPS^GWbSE_rDQ4YnblGBB$~&gH0e(>
z&&jRQ(3CMA%fPURf*~-tW?Ak_rljSPCH1|`^_=>@)9H_XXYSm4Kli@-e(!hZz4x0{
zS-ziT_^uD`6*VRQk>|<X9eZ8$&(1DzgcQ{;zjN=ChUw178L26|)_mlvxd|FaGsgv}
zT^t7%=lXR?O`DxYY@b;X?S)vDXi<b0^iJqD&>Jn*e1HEDUi}r}1Ghe05&qD2_)VeL
z;;@#`aS@7W4sB(91=<t-%V`UGPfMBq%Ivg8B{oOex&$2dvn53Z-8O|HLAR#Io7IPA
z`6yT!;4ukjjQ|x^#b)-%gEyklD;Z)|wQ!jqf}Chfp%18PjVU*K%!6lvXR@XbGpl>T
z<&se3bi(w8xsDua_DF^IJiI2>n7bBtI0NA5){<DWy9x6g1WzW%siD@;0q*LU2$>&-
z659|Nf(Q!7nmy{_MZ(jp3cSEb*GXO8G<eTGiJ5l5i?lv2j&x^?6Ad-1ZK8}NeU*!T
zF-@@8Hu_?%LVpRLw85M-`FZUBRqJwXveI^_f^aFP9fCH&uY}g1tC&}_u4P>ZO~)OF
zrg7Xzc}}tYx2BZQZmwdqo2zEU$|$=UuNZQ*T^%P=b5$>Si$I<XF9h(-1K3&!P#|v*
zs30)12%u1IE&^Db5Ac|PLk@QU^eh0_>i{T`zY;h@U~(})ncQ6ru*weLRRT~hCzJqK
z3IPfU9FZQS0M`l3Dg~%C@=DdX1S4>Z)?G1@8q`{RSE?<PzY`b#|NGxrflBq@Kd}B1
zecVoM93AYL>YzJHh^|MZsY)B@FB<-E4T3R<(GAtd^;{J(GNnrMi5kS1j_g1;CdOc9
zI_!>(M2I0^bemHO-ODs$<pC-Y$LU1VI5dozJJ=#-!<l)2-Q-z}kjgQXi02R<(;|>(
zk-)4On3>r~W_aq03NDc-lc~fggxUhPfLIWs$xa8Oi@;MK4^ez!%;XZ@uwQQ^LcAuo
zQHfay(P4Obh?N{l<Mh_>*FmVt9A<duh)f8Lx$+K`n8zWS$*#tL5c8S&!tc&(0kd}S
zPcd64W2#YN5r;YeC-8N@!Hl{wiI;ORGe59vycTcDOe(R2Ljefw;1X{!>jbuw+1t!I
zgRS88c}HHL5=%MsG(tyU(^$r=E9{lDP#EdVy1}LkrLkOw)u6-*xRlic5&@f5{9R7(
z30vj#mC$7Nf@sWE%XBL79$fm-20~1*TS2dZrm{hh-8_r6%zA@4z^F6pq?1al=Mo`6
zBs4Oa;iWFZAk>-nnUQ~#m)I&h*P_G+9O{eEa)hw=5F5a#$^9S!oSwyb&w!1`5>p5F
z%DGfxABW69@kpmee!&b|0x=y8#9l@02YU)S95REOdRUfF3F-o^1@;_b4>z!a8D94y
zi&-VJD6qZEj!JJQN_@qkfe7VrzpKC~D;lx}jD8DF&WnM46E=-HnL;Iwb7(M7OW4%N
z6U>Id_GWgH*-$V~*woxp@&J`M4VU^B2XTW<&Hb9wu@MrVBS_6X%WOF8Y&rnr8>!Tx
z#J3!Z2cjJWjdRQrVBdvc-zB~S!$*vSbV43=>w-+C5*NX#=qN}ouAA26GM7k#UBK&e
zg;_F~o%62BZB*hKhejhr7ZMA7of-CU!iM@Z`5Vl}z@~i;jUVJ4DnYADO&te$0HMkM
z$ZS09SJ9e8=v&Mtz@EuXy)9#oYd%ZsIW!5O*&O<b*$ZH0m^4lP4j5hVWXNz{&YwAN
z3fMs~n)NTtUW84%F&g)nO@;jkG8S^*#rla9IBRhdn!p22d<k|A3R2;R%#!#y((kk;
z<1cI7WY7sMR8Bpio$;nO3T+(oA$Ew(n0!*}pm|lmc0g#;nPY4?quF#X+Bwn<N*m8y
zW5PKtL{+Mc%<r|nic&4h&ujCQS{Z&pi%`mqg%^k(Gj?CpdMHYbbY6n*l%~sCU<cY^
z{)Xu_!}JVHbt?TXF|zJAPOq~u=dxz^Us?iMNGXsUNG|Jq=sbuWQUIZMZxMuY{L#`U
zx|sdhI7KPPqoL_G?GLd)${=(rAA;<_vE|Uzio+V7A!N|XktR7$3y+alYBXs2)_qM-
zn1-=ETR+%NO|-~E$MilOH{uTo{mXI8IJ>1LZ*`EWObH7P55}`;r$x4^))UnFa5=SF
z_f@_6%O%zNGS%K+{!TnDLXN1>KUA#|@@kFVN4*ju+t<S194T{Z^#spNrLJ3JQ<-e$
z)T2L5a_Wj_1^vu0yp@cJb-FRJ&g5Y++?%^CGI=H`t_NAFBKNd*>n8X6xcN5S&oEkb
klU`1}y}ae)X7ik*x>7$@DRpeq>+Iv-pew6e8@Ee;0{s*Ug8%>k