npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@bernierllc/webhook-receiver

v1.2.2

Published

Core HTTP endpoint functionality for receiving and processing webhooks with signature validation

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

alikhan410alikhan410mkberniermkbernier

Keywords

webhookreceiverhttpsignaturevalidationhmacjwtgithubstripe

Readme

@bernierllc/webhook-receiver

Core HTTP endpoint functionality for receiving and processing webhooks with signature validation.

Installation

npm install @bernierllc/webhook-receiver

Usage

Basic Webhook Receiver

import { WebhookReceiver } from '@bernierllc/webhook-receiver';

const receiver = new WebhookReceiver({
  maxPayloadSize: 1024 * 1024, // 1MB
  signatureHeader: 'x-webhook-signature',
  signatureSecret: process.env.WEBHOOK_SECRET,
  signatureAlgorithm: 'hmac-sha256',
  replayProtection: true,
  timestampTolerance: 300 // 5 minutes
});

// Process incoming webhook
const payload = await receiver.processRequest({
  method: 'POST',
  headers: request.headers,
  body: request.body,
  url: request.url
});

console.log('Webhook received:', payload.event, payload.source);

GitHub Webhook Example

const githubReceiver = new WebhookReceiver({
  signatureHeader: 'x-hub-signature-256',
  signatureSecret: process.env.GITHUB_WEBHOOK_SECRET,
  signatureAlgorithm: 'hmac-sha256',
  customValidator: async (payload) => {
    // GitHub-specific validation
    return payload.headers['user-agent']?.startsWith('GitHub-Hookshot/');
  }
});

Stripe Webhook Example

const stripeReceiver = new WebhookReceiver({
  signatureHeader: 'stripe-signature',
  signatureSecret: process.env.STRIPE_WEBHOOK_SECRET,
  signatureAlgorithm: 'hmac-sha256',
  timestampHeader: 'stripe-signature', // Contains timestamp
  timestampTolerance: 300
});

Features

  • Multiple Signature Algorithms: HMAC-SHA256, HMAC-SHA1, JWT, custom validation
  • Automatic Source Detection: GitHub, Stripe, GitLab, Bitbucket, Slack, Discord
  • Replay Protection: Timestamp validation with configurable tolerance
  • Content Type Support: JSON, form-data, raw text, XML
  • Size Limits: Configurable payload size restrictions
  • Framework Agnostic: Works with Express, Fastify, Next.js, Edge functions

API Reference

WebhookReceiver

Constructor Options

interface ReceiverOptions {
  maxPayloadSize?: number;      // Max payload size in bytes (default: 10MB)
  signatureHeader?: string;     // Header containing signature
  signatureSecret?: string;     // Secret for signature validation
  signatureAlgorithm?: 'hmac-sha256' | 'hmac-sha1' | 'jwt' | 'custom';
  timestampHeader?: string;     // Header containing timestamp
  timestampTolerance?: number;  // Timestamp tolerance in seconds
  replayProtection?: boolean;   // Enable replay protection
  customValidator?: (payload: WebhookPayload) => Promise<boolean>;
}

Methods

  • processRequest(request: WebhookRequest): Promise<WebhookPayload>
  • validateSignature(payload: WebhookPayload): Promise<boolean>
  • validateTimestamp(payload: WebhookPayload): Promise<boolean>

Utility Functions

// Signature validation
validateHmacSignature(payload: string | Buffer, signature: string, secret: string, algorithm: 'sha256' | 'sha1'): boolean

// Request parsing
parseHeaders(headers: Record<string, string>): ParsedHeaders
parsePayloadData(body: Buffer | string, contentType?: string): any

// Source detection
detectWebhookSource(headers: Record<string, string>): string
detectWebhookEvent(headers: Record<string, string>, data: any): string

Supported Webhook Sources

  • GitHub (x-github-event, x-hub-signature-256)
  • Stripe (stripe-signature)
  • GitLab (x-gitlab-event)
  • Bitbucket (x-event-key)
  • Slack (User-Agent detection)
  • Discord (User-Agent detection)
  • Generic webhook detection

Security Features

  • Signature Validation: HMAC-SHA256/SHA1, JWT token validation
  • Replay Protection: Timestamp validation with configurable tolerance
  • Input Validation: Payload size limits, content-type validation
  • Header Sanitization: Removes potentially dangerous headers
  • Timing Attack Prevention: Constant-time signature comparison

Error Handling

All validation errors throw WebhookError with appropriate HTTP status codes:

try {
  const payload = await receiver.processRequest(request);
} catch (error) {
  if (error instanceof WebhookError) {
    // Return appropriate HTTP status
    return new Response(error.message, { status: error.statusCode });
  }
  throw error;
}

Integration Status

Logger Integration

Status: Optional (recommended for webhook monitoring)

Justification: While this package can function without logging, it's highly recommended to integrate @bernierllc/logger for webhook event monitoring. Webhook receivers handle security-critical operations (signature validation, replay protection) and logging these events helps with security auditing, debugging, and threat detection. However, the package is designed to work without logging for environments where logging isn't available.

Pattern: Optional integration - package works without logger, but logger enhances security monitoring capabilities.

Example Integration:

import { Logger } from '@bernierllc/logger';
import { WebhookReceiver } from '@bernierllc/webhook-receiver';

const logger = new Logger({ service: 'webhook-receiver' });
const receiver = new WebhookReceiver({ /* config */ });

// Log webhook events
receiver.on('webhook:received', (event) => {
  logger.info('Webhook received', { source: event.source, timestamp: event.timestamp });
});

NeverHub Integration

Status: Optional (recommended for webhook orchestration)

Justification: While this package can function without NeverHub, it's highly recommended to integrate @bernierllc/neverhub-adapter for webhook orchestration and event publishing. Webhook receivers often need to coordinate with other services, and NeverHub provides a service mesh for publishing webhook events that other services can subscribe to. However, the package is designed to work without NeverHub for simpler use cases.

Pattern: Optional integration - package works without NeverHub, but NeverHub enhances webhook orchestration capabilities.

Example Integration:

import { NeverHubAdapter } from '@bernierllc/neverhub-adapter';
import { WebhookReceiver } from '@bernierllc/webhook-receiver';

const neverhub = new NeverHubAdapter({ service: 'webhook-receiver' });
const receiver = new WebhookReceiver({ /* config */ });

// Publish webhook events to NeverHub
receiver.on('webhook:validated', async (event) => {
  await neverhub.publish('webhook.received', {
    source: event.source,
    payload: event.payload,
    timestamp: event.timestamp
  });
});

Docs-Suite Integration

Status: Ready

Format: TypeDoc-compatible JSDoc comments are included throughout the source code. All public APIs are documented with examples and type information.

License

Copyright (c) 2025 Bernier LLC. All rights reserved.