For quick Supabase webhook setup, refer to https://docs.val.town/integrations/supabase.
You can hard-code a secret as a webhook header for good-enough auth as outlined in those docs^. This example takes security a step further with full signature verification.
- Generate a high entropy secret key like
caffeinated-carpet-blunder-tournamentand add it both to your val's environment variables and Supabase vault:
- Go to Supabase database functions and create a function to generate a signature:
DECLARE
hmac_result bytea;
BEGIN
hmac_result := hmac(message::bytea, secret_key::bytea, 'sha256');
RETURN encode(hmac_result, 'base64');
END;
- Create another database function in Supabase to create the signed webhook:
DECLARE
url text;
secret text;
payload jsonb;
request_id bigint;
signature text;
BEGIN
-- Get the webhook secret from the vault
SELECT decrypted_secret INTO secret FROM vault.decrypted_secrets WHERE name = 'VAL_TOWN_WEBHOOK_SECRET' LIMIT 1;
-- Generate the payload
payload = jsonb_build_object(
'old_record', old,
'record', new,
'type', tg_op,
'table', tg_table_name,
'schema', tg_table_schema
);
-- Generate the signature
signature = generate_hmac(secret, payload::text);
-- Send the webhook request
SELECT http_post
INTO request_id
FROM
net.http_post(
'https://TODO', -- 👋 Copy-paste your val's HTTP URL here!
payload,
'{}',
jsonb_build_object(
'Content-Type', 'application/json',
'X-Supabase-Signature', signature
),
'5000'
);
-- Insert the request ID into the Supabase hooks table
INSERT INTO supabase_functions.hooks
(hook_table_id, hook_name, request_id)
VALUES (tg_relid, tg_name, request_id);
RETURN new;
END;
- Create a Supabase database trigger to call the webhook function:
- Copy or remix this val to receive webhooks and verify the signature you just set up in Supabase