feat(revalidate): accept X-Webhook-Secret header for RustyCMS webhooks
Deploy / verify (push) Successful in 34s
Deploy / deploy (push) Successful in 54s

RustyCMS now sends its optional shared secret as X-Webhook-Secret. Keep
existing X-Revalidate-Token + ?token= query param for compatibility.
This commit is contained in:
Peter Meier
2026-04-17 23:49:57 +02:00
parent da340530ee
commit 4d79bf08da
+5 -2
View File
@@ -7,7 +7,8 @@ import { invalidateAll, invalidateCollection } from '$lib/cms';
* RustyCMS Webhook Receiver.
*
* Erwartet Payload mit `event` (z.B. "content.updated") und optional `collection` + `slug`.
* Auth via X-Revalidate-Token Header (shared secret aus REVALIDATE_TOKEN env var).
* Auth via X-Revalidate-Token Header, X-Webhook-Secret Header oder ?token=…
* Query-Param (shared secret aus REVALIDATE_TOKEN env var).
* Purged TTL-Cache: per-collection wenn collection bekannt, sonst komplett.
*/
@@ -24,7 +25,9 @@ export const POST: RequestHandler = async ({ request, url }) => {
throw error(500, 'REVALIDATE_TOKEN not configured');
}
const provided =
request.headers.get('x-revalidate-token') ?? url.searchParams.get('token');
request.headers.get('x-revalidate-token') ??
request.headers.get('x-webhook-secret') ??
url.searchParams.get('token');
if (provided !== token) {
throw error(401, 'invalid token');
}