Skip to content

feat: Add webhook signature verification for Fal.AI webhooks (fixes #26)#74

Open
nsrawat0333 wants to merge 1 commit intocode100x:mainfrom
nsrawat0333:feature/secure-webhooks-26
Open

feat: Add webhook signature verification for Fal.AI webhooks (fixes #26)#74
nsrawat0333 wants to merge 1 commit intocode100x:mainfrom
nsrawat0333:feature/secure-webhooks-26

Conversation

@nsrawat0333
Copy link

@nsrawat0333 nsrawat0333 commented Oct 20, 2025

🔐 Add webhook signature verification for Fal.AI webhooks

Fixes #26

🔍 Problem

Previously, Fal.AI webhooks were not secured, allowing anyone with the webhook URL to send malicious requests.

✨ Solution

Implemented HMAC-SHA256 signature verification similar to Clerk's Svix implementation.

📝 Changes Made

  • ✅ Added verifyFalAIWebhook middleware for signature validation
  • ✅ Secured /api/webhook/fal-ai/train endpoint
  • ✅ Secured /api/webhook/fal-ai/image endpoint
  • ✅ Updated README with FAL_WEBHOOK_SECRET configuration
  • ✅ Created comprehensive WEBHOOK_SECURITY.md documentation

🛡️ Security Benefits

  • Authentication: Only Fal.AI can send valid webhooks
  • Integrity: Payload tampering is detected
  • Consistency: Uses same pattern as Clerk webhooks

🧪 Testing

Signature verification can be tested with:

PAYLOAD='{"request_id":"123","status":"COMPLETED"}'
SIGNATURE=$(echo -n "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET")
curl -H "x-fal-signature: $SIGNATURE" -d "$PAYLOAD" /webhook/fal-ai/train

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Secure webhooks

1 participant

@nsrawat0333