From 4d79bf08da354936aa8c06c2e6b26a943ac0a8cb Mon Sep 17 00:00:00 2001 From: Peter Meier Date: Fri, 17 Apr 2026 23:49:57 +0200 Subject: [PATCH] feat(revalidate): accept X-Webhook-Secret header for RustyCMS webhooks RustyCMS now sends its optional shared secret as X-Webhook-Secret. Keep existing X-Revalidate-Token + ?token= query param for compatibility. --- src/routes/api/revalidate/+server.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/routes/api/revalidate/+server.ts b/src/routes/api/revalidate/+server.ts index f473003..e1a7588 100644 --- a/src/routes/api/revalidate/+server.ts +++ b/src/routes/api/revalidate/+server.ts @@ -7,7 +7,8 @@ import { invalidateAll, invalidateCollection } from '$lib/cms'; * RustyCMS Webhook Receiver. * * Erwartet Payload mit `event` (z.B. "content.updated") und optional `collection` + `slug`. - * Auth via X-Revalidate-Token Header (shared secret aus REVALIDATE_TOKEN env var). + * Auth via X-Revalidate-Token Header, X-Webhook-Secret Header oder ?token=… + * Query-Param (shared secret aus REVALIDATE_TOKEN env var). * Purged TTL-Cache: per-collection wenn collection bekannt, sonst komplett. */ @@ -24,7 +25,9 @@ export const POST: RequestHandler = async ({ request, url }) => { throw error(500, 'REVALIDATE_TOKEN not configured'); } const provided = - request.headers.get('x-revalidate-token') ?? url.searchParams.get('token'); + request.headers.get('x-revalidate-token') ?? + request.headers.get('x-webhook-secret') ?? + url.searchParams.get('token'); if (provided !== token) { throw error(401, 'invalid token'); }