Webhooks server in Node.js

This article presents a simple webhooks server example.

We strongly advise you NOT to use this in a production environment.

# Dependencies

Both examples use the Express library to create the HTTP endpoint.
Also, for local development purposes, a tunneling service is required. This example uses ngrok.

npm install express jsonwebtoken

You can download ngrok here: https://ngrok.com/download.

# Examples

Below are two examples of a webhooks server built on Express.

# Example without checking the request signature

This is a very simple example, with the server logging the body from the request to the console. The body contains the complete webhook information sent from CKEditor Cloud Services.

const express = require( 'express' );
const app = express();
app.use( express.json() );

app.post( '/', ( req, res ) => {
    console.log( 'received webhook', req.body );
    res.sendStatus( 200 );
} );

app.listen( 9000, () => console.log( 'Node.js server started on port 9000.' ) );

# Example with checking the request signature

This example is more complex because while the server logs the webhook information to the console, it also checks if the request was sent from the CKEditor Cloud Services servers and was signed with the correct API secret.

Several variables are needed to generate and check the signature. The API secret is available in the Customer Portal for SaaS or in the Management Panel for On-Premises, the rest of the parameters are in the request:

  • method: req.method
  • url: req.url
  • timestamp: req.headers[ 'x-cs-timestamp' ]
  • body: req.rawBody

Please note that the rawBody field was added by the following configuration:

app.use( express.json( { verify: ( req, res, buffer ) => { req.rawBody = buffer; } } ) );

This field is not available by default in Express. The body field available in Express contains the already processed data that cannot be used to generate the signature.

const crypto = require( 'crypto' );

const express = require( 'express' );
const app = express();

const API_SECRET = 'secret';

app.use( express.json( { verify: ( req, res, buffer ) => { req.rawBody = buffer; } } ) );

app.post( '/', ( req, res ) => {
    const signature = _generateSignature( req.method, req.url, req.headers[ 'x-cs-timestamp' ], req.rawBody );

    if ( signature !== req.headers[ 'x-cs-signature' ] ) {
        return res.sendStatus( 401 );
    }

    console.log( 'received webhook', req.body );
    res.sendStatus( 200 );
} );

app.listen( 9000, () => console.log( 'Node.js server started on port 9000.' ) );

function _generateSignature( method, url, timestamp, body ) {
    const hmac = crypto.createHmac( 'SHA256', API_SECRET );

    hmac.update( `${ method.toUpperCase() }${ url }${ timestamp }` );

    if ( body ) {
        hmac.update( body );
    }

    return hmac.digest( 'hex' );
}

# Usage

Start the server with:

node index.js

If the server is running on port 9000, run ngrok with:

./ngrok http 9000

After this, you should see a *.ngrok.io URL. Copy the *.ngrok.io URL and paste it in the webhook configuration. You should be able to receive webhooks now.