fix(backend): Remove peerDep of svix for verifyWebhook() (#6059)

Co-authored-by: Robert Soriano <sorianorobertc@gmail.com>
Co-authored-by: Lennart <lekoarts@gmail.com>

Author: 3 people

.changeset/hungry-mangos-shout.md

@@ -0,0 +1,18 @@
+---
+'@clerk/backend': minor
+'@clerk/astro': minor
+'@clerk/express': minor
+'@clerk/fastify': minor
+'@clerk/nextjs': minor
+'@clerk/nuxt': minor
+'@clerk/react-router': minor
+'@clerk/tanstack-react-start': minor
+---
+
+The `svix` dependency is no longer needed when using the `verifyWebhook()` function. `verifyWebhook()` was refactored to not rely on `svix` anymore while keeping the same functionality and behavior.
+
+If you previously installed `svix` to use `verifyWebhook()` you can uninstall it now:
+
+```shell
+npm uninstall svix
+```

packages/backend/package.json

@@ -117,17 +117,8 @@
     "@edge-runtime/vm": "5.0.0",
     "msw": "2.8.7",
     "npm-run-all": "^4.1.5",
-    "svix": "^1.66.0",
     "vitest-environment-miniflare": "2.14.4"
   },
-  "peerDependencies": {
-    "svix": "^1.62.0"
-  },
-  "peerDependenciesMeta": {
-    "svix": {
-      "optional": true
-    }
-  },
   "engines": {
     "node": ">=18.17.0"
   },

packages/backend/src/webhooks.ts

@@ -1,6 +1,6 @@
 import { getEnvVariable } from '@clerk/shared/getEnvVariable';
+import crypto from 'crypto';
 import { errorThrower } from 'src/util/shared';
-import { Webhook } from 'svix';
 
 import type { WebhookEvent } from './api/resources/Webhooks';
 
@@ -71,12 +71,24 @@ export async function verifyWebhook(request: Request, options: VerifyWebhookOpti
     return errorThrower.throw(`Missing required Svix headers: ${missingHeaders.join(', ')}`);
   }
 
-  const sivx = new Webhook(secret);
   const body = await request.text();
 
-  return sivx.verify(body, {
-    [SVIX_ID_HEADER]: svixId,
-    [SVIX_TIMESTAMP_HEADER]: svixTimestamp,
-    [SVIX_SIGNATURE_HEADER]: svixSignature,
-  }) as WebhookEvent;
+  const signedContent = `${svixId}.${svixTimestamp}.${body}`;
+
+  const secretBytes = Buffer.from(secret.split('_')[1], 'base64');
+
+  const constructedSignature = crypto.createHmac('sha256', secretBytes).update(signedContent).digest('base64');
+
+  // svixSignature can be a string with one or more space separated signatures
+  if (svixSignature.split(' ').includes(constructedSignature)) {
+    return errorThrower.throw('Incoming webhook does not have a valid signature');
+  }
+
+  const payload = JSON.parse(body);
+
+  return {
+    type: payload.type,
+    object: 'event',
+    data: payload.data,
+  } as WebhookEvent;
 }