Log inSign up
lightweight
lightweightglimpse3
Remix of lightweight/glimpse2-runbook
Public
Like
glimpse3
Code
8
Val Town is a collaborative website to build and scale JavaScript apps.
Deploy APIs, crons, & store data – all from the browser, and deployed in milliseconds.
Sign up now
Code
/
Search
main.tsx
README.md

Val Town Project with Webhook Authentication

This project implements a dual authentication system:

  • User Authentication: For regular web routes using LastLogin
  • Webhook Authentication: For webhook endpoints using X-API-KEY header

Authentication Architecture

Middleware Order

The authentication middleware is applied in this specific order:

  1. Webhook Authentication (/tasks/* routes) - X-API-KEY validation
  2. User Authentication (/api/*, /views/*, / routes) - LastLogin validation
  3. Route Handlers

Webhook Authentication

  • Scope: Only applies to POST requests under /tasks/*
  • Header: Requires X-API-KEY header
  • Secret: Validates against NOTION_WEBHOOK_SECRET environment variable
  • Security: Uses constant-time comparison to prevent timing attacks

Environment Variables

Set the following environment variable in your Val Town settings:

NOTION_WEBHOOK_SECRET=your-webhook-secret-here

API Endpoints

Webhook Endpoints (require X-API-KEY header)

  • POST /tasks/test - Test webhook authentication
  • POST /tasks/notion-webhook - Main Notion webhook handler

Debug Endpoints

  • GET /tasks/debug-webhook - Check webhook secret configuration

User-Authenticated Endpoints

  • GET / - Dashboard (requires user login)
  • GET /api/health - Health check (public)
  • Other /api/* and /views/* routes require user authentication

Testing Webhook Authentication

1. Test without header (should fail with 401):

curl -X POST https://your-val.web.val.run/tasks/test

2. Test with wrong key (should fail with 403):

curl -X POST https://your-val.web.val.run/tasks/test \
  -H "X-API-KEY: wrong-key"

3. Test with correct key (should succeed with 200):

curl -X POST https://your-val.web.val.run/tasks/test \
  -H "X-API-KEY: your-configured-secret-value"

4. Check webhook configuration:

curl https://your-val.web.val.run/tasks/debug-webhook

Security Features

  • Constant-time comparison: Prevents timing attacks on API key validation
  • Generic error messages: Don't reveal authentication mechanism details
  • Request logging: Failed authentication attempts are logged for monitoring
  • Method-specific auth: Webhook auth only applies to POST requests
  • Route separation: Complete separation between webhook and user authentication

Project Structure

├── backend/
│   ├── routes/
│   │   ├── authCheck.ts           # User authentication middleware
│   │   ├── webhookAuthCheck.ts    # Webhook authentication middleware
│   │   ├── tasks/                 # Webhook endpoints
│   │   ├── api/                   # User-authenticated API endpoints
│   │   └── views/                 # User-authenticated view endpoints
│   └── ...
├── main.tsx                       # Main application with middleware setup
└── README.md

Implementation Notes

  • Webhook routes are designed for POST requests (as webhooks typically send POST)
  • GET requests to /tasks/* bypass webhook authentication (useful for debug endpoints)
  • User authentication still applies to all other routes as expected
  • The middleware order is critical - webhook auth must come before user auth for /tasks/* routes
HTTP
Code