feat: secrets util + route (#23)

packages/express-backend/.env.example

@@ -3,4 +3,5 @@ DB_USER=
 DB_PASSWORD=
 SENDGRID_API_KEY=
 SENDGRID_VERIFIED_SENDER=
-FRONT_END_URL=
+FRONT_END_URL=
+WEBHOOK_SECRET=

packages/express-backend/ecosystem.config.js

@@ -0,0 +1,15 @@
+module.exports = {
+  apps: [
+    {
+      name: "wgp-api",
+      script: "./index.js",
+      watch: true,
+      env: {
+        NODE_ENV: "dev",
+      },
+      env_production: {
+        NODE_ENV: "prod",
+      },
+    },
+  ],
+};

packages/express-backend/index.js

@@ -9,8 +9,7 @@ const https = require("https");
 
 const IS_DEV = process.env.NODE_ENV === "dev";
 
-const { DB_NAME, DB_USER, DB_PASSWORD, FRONT_END_URL, DEV_FRONT_END_URL } =
-  process.env;
+const { DB_NAME, DB_USER, DB_PASSWORD, FRONT_END_URL } = process.env;
 
 const dbConnection = `mongodb+srv://${DB_USER}:${DB_PASSWORD}@prod.8tbszom.mongodb.net/${DB_NAME}?retryWrites=true&w=majority`;
 
@@ -30,7 +29,15 @@ db.on("open", () => {
 
 const app = express();
 
-const whitelist = [FRONT_END_URL, DEV_FRONT_END_URL];
+// https://api.wargameplanner.com:1337/api/v1/webhooks/release
+// https://wgp-be.ngrok.io/api/v1/webhooks/release
+
+app.use(bodyParser.json({ extended: true }));
+app.use(bodyParser.urlencoded({ extended: true }));
+
+app.use("/api/v1/webhooks", require("./webhooks/routes"));
+
+const whitelist = [FRONT_END_URL];
 app.use(
   cors(
     IS_DEV
@@ -47,9 +54,6 @@ app.use(
   )
 );
 
-app.use(bodyParser.json({ extended: true }));
-app.use(bodyParser.urlencoded({ extended: true }));
-
 app.use("/api/v1/accounts", require("./accounts/routes"));
 app.use("/api/v1/features", require("./features/routes/global"));
 app.use(require("./sessions/middleware"));

packages/express-backend/package.json

@@ -6,7 +6,8 @@
   "scripts": {
     "test": "mocha --recursive --exit",
     "dev": "NODE_ENV=dev nodemon index.js",
-    "start": "NODE_ENV=prod node index.js"
+    "dev-pm2": "pm2 start ecosystem.config.js",
+    "start": "pm2 start ecosystem.config.js --env production"
   },
   "keywords": [],
   "author": "",

packages/express-backend/utils/secrets.js

@@ -0,0 +1,24 @@
+const { WEBHOOK_SECRET } = process.env;
+
+let crypto;
+try {
+  crypto = require("node:crypto");
+} catch (err) {
+  console.error("crypto support is disabled!");
+}
+
+const validateRequestSecret = (request) => {
+  const expectedSignature =
+    "sha1=" +
+    crypto
+      .createHmac("sha1", WEBHOOK_SECRET)
+      .update(JSON.stringify(request.body))
+      .digest("hex");
+  const signature = request.headers["x-hub-signature"];
+  console.log({ expectedSignature, signature });
+  if (signature !== expectedSignature) {
+    throw new Error("Invalid signature.");
+  }
+};
+
+module.exports = { validateRequestSecret };

packages/express-backend/webhooks/routes.js

@@ -0,0 +1,32 @@
+const { execSync } = require("child_process");
+const express = require("express");
+const { validateRequestSecret } = require("../utils/secrets");
+
+const router = express.Router();
+
+const IS_DEV = process.env.NODE_ENV === "dev";
+
+router.post("/release", async (req, res) => {
+  let sentResponse = false;
+  try {
+    console.log("VALIDATING HOOK SECRET");
+    validateRequestSecret(req);
+
+    console.log("PULLING FROM MAIN");
+    await execSync("git pull origin main");
+
+    console.log("SENDING SUCCESS");
+    res.sendStatus(204);
+    sentResponse = true;
+
+    console.log("RESTARTING PM2 SERVICE");
+    await execSync(`pm2 restart wgp-api ${IS_DEV ? "" : "--env production"}`);
+  } catch (err) {
+    console.error(err);
+    if (!sentResponse) {
+      return res.status(500).send(err.message);
+    }
+  }
+});
+
+module.exports = router;