Merge pull request #1882 from dubinc/verify-qstash-update

Update verify QStash

apps/web/app/api/cron/domains/configure-dns/route.ts

@@ -10,7 +10,7 @@ export const dynamic = "force-dynamic";
 export async function POST(req: Request) {
   try {
     const body = await req.json();
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
     const { domain } = body;
 
     const res = await configureDNS({ domain });

apps/web/app/api/cron/domains/delete/route.ts

@@ -20,7 +20,7 @@ export async function POST(req: Request) {
   try {
     const body = await req.json();
 
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
 
     const { domain, workspaceId } = schema.parse(body);
 

apps/web/app/api/cron/domains/transfer/route.ts

@@ -21,7 +21,7 @@ export async function POST(req: Request) {
   try {
     const body = await req.json();
 
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
 
     const { currentWorkspaceId, newWorkspaceId, domain } = schema.parse(body);
 

apps/web/app/api/cron/domains/update/route.ts

@@ -22,7 +22,7 @@ export async function POST(req: Request) {
   try {
     const body = await req.json();
 
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
 
     const { newDomain, oldDomain, workspaceId, page } = schema.parse(body);
 

apps/web/app/api/cron/import/bitly/route.ts

@@ -13,7 +13,7 @@ export const dynamic = "force-dynamic";
 export async function POST(req: Request) {
   try {
     const body = await req.json();
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
     const { workspaceId, bitlyGroup, importTags } = body;
 
     try {

apps/web/app/api/cron/import/csv/route.ts

@@ -46,7 +46,7 @@ type MapperResult =
 export async function POST(req: Request) {
   try {
     const body = await req.json();
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
     const { workspaceId, userId, id, url } = body;
     const mapping = linkMappingSchema.parse(body.mapping);
 

apps/web/app/api/cron/import/rebrandly/route.ts

@@ -11,7 +11,7 @@ export const dynamic = "force-dynamic";
 export async function POST(req: Request) {
   try {
     const body = await req.json();
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
     const { workspaceId, importTags } = body;
 
     try {

apps/web/app/api/cron/import/short/route.ts

@@ -11,7 +11,7 @@ export const dynamic = "force-dynamic";
 export async function POST(req: Request) {
   try {
     const body = await req.json();
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
     const {
       workspaceId,
       userId,

apps/web/app/api/cron/links/delete/route.ts

@@ -12,7 +12,7 @@ export const dynamic = "force-dynamic";
 export async function POST(req: Request) {
   try {
     const body = await req.json();
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
     const { linkId } = body;
 
     const link = await prisma.link.findUnique({

apps/web/app/api/cron/shopify/order-paid/route.ts

@@ -15,7 +15,7 @@ const schema = z.object({
 export async function POST(req: Request) {
   try {
     const body = await req.json();
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
 
     const { workspaceId, checkoutToken } = schema.parse(body);
 

apps/web/app/api/cron/usage/route.ts

@@ -16,7 +16,7 @@ async function handler(req: Request) {
     if (req.method === "GET") {
       await verifyVercelSignature(req);
     } else if (req.method === "POST") {
-      await verifyQstashSignature(req);
+      await verifyQstashSignature({ req });
     }
 
     await updateUsage();

apps/web/app/api/cron/workspaces/delete/route.ts

@@ -17,7 +17,7 @@ export async function POST(req: Request) {
   try {
     const body = await req.json();
 
-    await verifyQstashSignature(req, body);
+    await verifyQstashSignature({ req, body });
 
     const { workspaceId } = schema.parse(body);
 

apps/web/app/api/webhooks/callback/route.ts

@@ -20,7 +20,7 @@ const searchParamsSchema = z.object({
 export const POST = async (req: Request) => {
   const rawBody = await req.text();
 
-  await verifyQstashSignature(req, rawBody, "text");
+  await verifyQstashSignature({ req, body: rawBody, bodyType: "text" });
 
   const { url, status, body, sourceBody, sourceMessageId } =
     webhookCallbackSchema.parse(JSON.parse(rawBody));

apps/web/lib/cron/verify-qstash.ts

@@ -7,11 +7,17 @@ const receiver = new Receiver({
   nextSigningKey: process.env.QSTASH_NEXT_SIGNING_KEY || "",
 });
 
-export const verifyQstashSignature = async (
-  req: Request,
-  body?: any,
-  bodyType: "json" | "text" = "json",
-) => {
+export const verifyQstashSignature = async ({
+  req,
+  body,
+  bodyType = "json",
+}: {
+  req: Request;
+  body?: any;
+  // due to a weird QStash bug, webhook URLs that have query params
+  // need to be verified with the text body type (instead of JSON)
+  bodyType?: "json" | "text";
+}) => {
   body = body || (bodyType === "json" ? await req.json() : await req.text());
 
   const isValid = await receiver.verify({