feat(api): karakeep webhook (HMAC-verified)

POST /api/ingest/karakeep accepts Karakeep webhook payloads. HMAC signature on the raw body captured by express.json's verify hook. Mounted on app before mountApi so it bypasses agentOrOwner — the shared secret IS the auth. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-01 03:55:57 +10:00
parent d1e986bc9c
commit d7f9bde5e9
3 changed files with 114 additions and 1 deletions
--- a/lib/api/routes/ingest.js
+++ b/lib/api/routes/ingest.js
@@ -0,0 +1,34 @@
+import { Router } from 'express';
+import crypto from 'node:crypto';
+import * as queue from '../../jobs/queue.js';
+import { asyncWrap } from '../errors.js';
+
+function verify(rawBody, headerSig) {
+  const secret = process.env.KARAKEEP_WEBHOOK_SECRET || '';
+  if (!headerSig || !secret || !rawBody) return false;
+  const expected = 'sha256=' +
+    crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
+  try { return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(headerSig)); }
+  catch { return false; }
+}
+
+export const router = Router();
+
+router.post('/karakeep', asyncWrap(async (req, res) => {
+  const sig = req.headers['x-karakeep-signature'];
+  if (!verify(req.rawBody, sig)) {
+    return res.status(401).json({ error: { code: 'unauthorized', message: 'bad signature' } });
+  }
+  const payload = req.body;
+  if (payload.event !== 'bookmark.created') return res.status(202).json({ skipped: true });
+  const space_id = process.env.KARAKEEP_DEFAULT_SPACE_ID;
+  if (!space_id) {
+    return res.status(503).json({
+      error: { code: 'unconfigured', message: 'KARAKEEP_DEFAULT_SPACE_ID not set' }
+    });
+  }
+  const job_id = await queue.enqueue('ingest.karakeep', {
+    bookmark_id: payload.bookmark_id, space_id
+  });
+  res.status(202).json({ job_id });
+}));