feat: add brevo webhook validator

Yizack · Yizack · commit 6fca667a028f · 2025-09-22T03:11:40.000+02:00
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ A simple nuxt module that works on the edge to easily validate incoming webhooks
 
 ## Features
 
-- 19 [Webhook validators](#supported-webhook-validators)
+- 20 [Webhook validators](#supported-webhook-validators)
 - Works on the edge
 - Exposed [Server utils](#server-utils)
 
@@ -78,6 +78,7 @@ Go to [playground/.env.example](./playground/.env.example) or [playground/nuxt.c
 
 #### Supported webhook validators:
 
+- Brevo
 - Discord
 - Dropbox
 - Fourthwall
diff --git a/playground/.env.example b/playground/.env.example
@@ -1,3 +1,6 @@
+# Brevo Validator
+NUXT_WEBHOOK_BREVO_TOKEN=
+
 # Discord Validator
 NUXT_WEBHOOK_DISCORD_PUBLIC_KEY=
 
diff --git a/playground/nuxt.config.ts b/playground/nuxt.config.ts
@@ -8,6 +8,9 @@ export default defineNuxtConfig({
   devtools: { enabled: true },
   runtimeConfig: {
     webhook: {
+      brevo: {
+        token: '',
+      },
       discord: {
         publicKey: '',
       },
diff --git a/playground/server/api/webhooks/brevo.post.ts b/playground/server/api/webhooks/brevo.post.ts
@@ -0,0 +1,7 @@
+export default defineEventHandler(async (event) => {
+  const isValidWebhook = await isValidBrevoWebhook(event)
+
+  if (!isValidWebhook) throw createError({ statusCode: 401, message: 'Unauthorized: webhook is not valid' })
+
+  return { isValidWebhook }
+})
diff --git a/src/module.ts b/src/module.ts
@@ -20,6 +20,10 @@ export default defineNuxtModule<ModuleOptions>({
     const runtimeConfig = nuxt.options.runtimeConfig
     // Webhook settings
     runtimeConfig.webhook = defu(runtimeConfig.webhook, {})
+    // Brevo Webhook
+    runtimeConfig.webhook.brevo = defu(runtimeConfig.webhook.brevo, {
+      token: '',
+    })
     // Discord Webhook
     runtimeConfig.webhook.discord = defu(runtimeConfig.webhook.discord, {
       publicKey: '',
diff --git a/src/runtime/server/lib/validators/brevo.ts b/src/runtime/server/lib/validators/brevo.ts
@@ -0,0 +1,40 @@
+import { type H3Event, getRequestHeader, getRequestIP } from 'h3'
+import { useRuntimeConfig } from '#imports'
+
+const ALLOWED_IP_RANGES = ['1.179.112.0/20', '172.246.240.0/20']
+
+const ipToInt = (ip: string) => {
+  return ip.split('.').reduce((acc, octet) => (acc << 8) + Number(octet), 0)
+}
+
+const isIpInRange = (ip: string, cidr: string) => {
+  const [range, bits] = cidr.split('/')
+  if (!range || !bits) return false
+
+  const mask = ~(2 ** (32 - Number(bits)) - 1)
+  return (ipToInt(ip) & mask) === (ipToInt(range) & mask)
+}
+
+/**
+ * Validates Brevo webhooks on the Edge
+ * @see {@link https://help.brevo.com/hc/en-us/articles/27824932835474}
+ * @param event H3Event
+ * @returns {boolean} `true` if the webhook is valid, `false` otherwise
+ */
+export const isValidBrevoWebhook = async (event: H3Event): Promise<boolean> => {
+  const ip = getRequestIP(event, { xForwardedFor: true })
+
+  if (!ip || !ALLOWED_IP_RANGES.some(cidr => isIpInRange(ip, cidr))) return false
+
+  // const config = ensureConfiguration('brevo', event) // No need to ensure brevo configuration
+  const config = useRuntimeConfig(event).webhook.brevo
+
+  if (config.token) {
+    const authorization = getRequestHeader(event, 'authorization') || ''
+    if (!authorization.toLowerCase().startsWith('bearer ')) return false
+    const token = authorization.slice(7)
+    if (token !== config.token) return false
+  }
+
+  return true
+}
diff --git a/test/events.ts b/test/events.ts
@@ -1,3 +1,4 @@
+export { simulateBrevoEvent } from './simulations/brevo'
 export { simulateDiscordEvent } from './simulations/discord'
 export { simulateDropboxEvent } from './simulations/dropbox'
 export { simulateFourthwallEvent } from './simulations/fourthwall'
diff --git a/test/fixtures/basic/nuxt.config.ts b/test/fixtures/basic/nuxt.config.ts
@@ -7,6 +7,9 @@ export default defineNuxtConfig({
   modules: [myModule],
   runtimeConfig: {
     webhook: {
+      brevo: {
+        token: 'testToken',
+      },
       discord: {
         publicKey: 'fcf4594ff55a5898a7e7ce541b93dc8ce618c7a4fa96ab7efd1ac2890571345c',
       },
diff --git a/test/module.test.ts b/test/module.test.ts
@@ -50,9 +50,8 @@ describe('webhooks', async () => {
   // Iterate over the `events` object dynamically
   const events = await import('./events')
   for (const [methodName, simulation] of Object.entries(events)) {
-    const match = methodName.match(/^simulate(.*)Event$/)
-    if (!match) continue
-    const webhookName = match[1]
+    const [, webhookName] = methodName.match(/^simulate(.*)Event$/) || []
+    if (!webhookName) continue
     it(`valid ${webhookName} webhook`, async () => {
       const response = await simulation()
       expect(response).toStrictEqual(validWebhook)
diff --git a/test/simulations/brevo.ts b/test/simulations/brevo.ts
@@ -0,0 +1,16 @@
+import { $fetch } from '@nuxt/test-utils/e2e'
+
+const body = { test: 'testData' }
+
+export const simulateBrevoEvent = async () => {
+  const headers = {
+    'authorization': 'Bearer testToken',
+    'x-forwarded-for': '1.179.112.0',
+  }
+
+  return $fetch<{ isValidWebhook: boolean }>('/api/webhooks/brevo', {
+    method: 'POST',
+    headers,
+    body,
+  })
+}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+export { simulateBrevoEvent } from './simulations/brevo'`
`1`	`2`	`export { simulateDiscordEvent } from './simulations/discord'`
`2`	`3`	`export { simulateDropboxEvent } from './simulations/dropbox'`
`3`	`4`	`export { simulateFourthwallEvent } from './simulations/fourthwall'`