diff --git a/app.js b/app.js index 6841d75..6734fe7 100644 --- a/app.js +++ b/app.js @@ -21,7 +21,11 @@ const fs = require('fs'); const path = require('path'); const express = require('express'); -const { ContextPrepareService, APIError } = require('@castleio/sdk'); +const { + ContextPrepareService, + APIError, + WebhookVerificationError, +} = require('@castleio/sdk'); const { demos, demoList, validUrls } = require('./demo_config'); @@ -51,9 +55,22 @@ function buildApp(castle = require('./castle')) { app.set('views', path.join(__dirname, 'views')); app.set('view engine', 'pug'); - app.use(express.json()); + // Keep the raw body around so incoming webhooks can be signature-verified + // (the HMAC is computed over the exact bytes Castle sent). + app.use( + express.json({ + verify: (req, _res, buf) => { + req.rawBody = buf; + }, + }) + ); app.use('/static', express.static(path.join(__dirname, 'static'))); + // In-memory store of the most recent webhooks received from Castle. A real + // app would persist these; an array is plenty for a localhost demo. + const receivedWebhooks = []; + let webhookSeq = 0; + // Serve the Castle browser SDK straight from the npm install (node_modules) // instead of vendoring it into the repo. It ends up at /vendor/castle-js/... const CASTLE_JS_DIR = path.join( @@ -105,6 +122,46 @@ function buildApp(castle = require('./castle')) { }); }); + // Webhooks demo. The receiver below stores verified payloads; this page lists + // them. Registered before the catch-all `/:demoName` route so it wins. + app.get('/webhooks', (req, res) => { + const protocol = req.get('x-forwarded-proto') || req.protocol; + res.render('webhooks', { + ...getDefaultParams(), + ...demos.webhooks, + demo_name: 'webhooks', + webhooks: true, + webhook_endpoint: `${protocol}://${req.get('host')}/webhooks/castle`, + webhooks_received: receivedWebhooks, + }); + }); + + // Receives webhooks from Castle. The signature is verified against the raw + // body; anything that fails verification gets a 404 so we don't reveal the + // endpoint to unauthenticated callers. + app.post('/webhooks/castle', (req, res) => { + try { + castle.verifyWebhookSignature( + req.rawBody || Buffer.from(''), + req.get('X-Castle-Signature') + ); + } catch (err) { + if (err instanceof WebhookVerificationError) { + return res.status(404).render('error', getDefaultParams()); + } + throw err; + } + + receivedWebhooks.unshift({ + id: (webhookSeq += 1), + received_at: new Date().toISOString(), + body: req.body, + }); + receivedWebhooks.length = Math.min(receivedWebhooks.length, 50); + + return res.status(204).end(); + }); + app.get('/:demoName', (req, res) => { const params = getDefaultParams(); const { demoName } = req.params; diff --git a/demo_config.js b/demo_config.js index ef8a667..e72da21 100644 --- a/demo_config.js +++ b/demo_config.js @@ -23,6 +23,10 @@ const demos = { friendly_name: 'privacy', blurb: "Request or delete a user's data with the Privacy API.", }, + webhooks: { + friendly_name: 'webhooks', + blurb: 'Verify and inspect incoming Castle webhooks.', + }, }; const demoList = Object.entries(demos).map(([url, demo]) => ({ url, ...demo })); diff --git a/readme.md b/readme.md index 282ae88..3c47aab 100644 --- a/readme.md +++ b/readme.md @@ -16,6 +16,7 @@ Server-rendered pages: - **password reset** – `$password_reset` via the non-blocking `log` endpoint - **lists** – the Lists API (`createList`, `fetchAllLists`) - **privacy** – the Privacy API (`requestUserData`, `deleteUserData`) +- **webhooks** – incoming Castle webhooks are signature-verified with `verifyWebhookSignature` (against the `X-Castle-Signature` header) and the most recent payloads are listed Post-login `/account` page: diff --git a/static/styles.css b/static/styles.css index de97e19..bd3b78a 100644 --- a/static/styles.css +++ b/static/styles.css @@ -1 +1 @@ -*,:after,:before{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }::backdrop{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }/*! tailwindcss v3.4.19 | MIT License | https://tailwindcss.com*/*,:after,:before{box-sizing:border-box;border:0 solid #e5e7eb}:after,:before{--tw-content:""}:host,html{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type=button]),input:where([type=reset]),input:where([type=submit]){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden=until-found])){display:none}body{min-height:100vh;--tw-bg-opacity:1;background-color:rgb(246 248 252/var(--tw-bg-opacity,1));font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-size:15px;line-height:1.625;color:rgb(15 23 41/var(--tw-text-opacity,1));-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-image:radial-gradient(1200px 600px at 80% -10%,rgba(54,94,237,.12),transparent 60%)}a,body{--tw-text-opacity:1}a{color:rgb(54 94 237/var(--tw-text-opacity,1));text-decoration-line:none}a:hover{text-decoration-line:underline}h1,h2,h3,h4{font-weight:600;line-height:1.25}p{margin-bottom:.75rem}code{border-radius:.25rem;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 251/var(--tw-bg-opacity,1));padding:.125rem .375rem;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.86em}.my-5{margin-top:1.25rem;margin-bottom:1.25rem}.mb-6{margin-bottom:1.5rem}.mt-3{margin-top:.75rem}.mt-6{margin-top:1.5rem}.mt-8{margin-top:2rem}.block{display:block}.inline-block{display:inline-block}.grid{display:grid}.hidden{display:none}.list-decimal{list-style-type:decimal}.items-start{align-items:flex-start}.justify-center{justify-content:center}.gap-4{gap:1rem}.gap-6{gap:1.5rem}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.25rem*var(--tw-space-y-reverse))}.border-border{--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1))}.pl-5{padding-left:1.25rem}.text-\[1\.15rem\]{font-size:1.15rem}.text-\[1\.6rem\]{font-size:1.6rem}.text-\[2\.2rem\]{font-size:2.2rem}.text-muted{--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.filter{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.navbar{position:sticky;top:0;z-index:50;flex-wrap:wrap;gap:1.5rem;border-bottom-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));padding:.875rem 1.5rem;background:hsla(0,0%,100%,.8);-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px)}.brand,.navbar{display:flex;align-items:center}.brand{gap:.5rem;font-size:1.05rem;font-weight:700;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1))}.brand:hover{text-decoration-line:none}.brand-logo{height:1.4rem;width:1.4rem;flex-shrink:0;--tw-text-opacity:1;color:rgb(54 94 237/var(--tw-text-opacity,1));filter:drop-shadow(0 0 8px rgba(54,94,237,.35))}.brand-logo-lg{height:3rem;width:3rem}.nav-links{margin-left:auto;display:flex;flex-wrap:wrap;align-items:center;gap:1.25rem}.nav-links a{font-size:.92rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.nav-links a:hover{--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1));text-decoration-line:none}.tag{border-radius:9999px;border-width:1px;border-color:rgba(54,94,237,.4);background-color:rgba(54,94,237,.1);padding:.125rem .5rem;font-size:.75rem;line-height:1rem;font-weight:600;--tw-text-opacity:1;color:rgb(54 94 237/var(--tw-text-opacity,1))}.container-page{margin-left:auto;margin-right:auto;max-width:1120px;padding:2rem 1.5rem 4rem}.card{border-radius:14px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(255 255 255/var(--tw-bg-opacity,1));padding:1.5rem;--tw-shadow:0 1px 3px rgba(16,24,40,.06),0 8px 24px rgba(16,24,40,.06);--tw-shadow-colored:0 1px 3px var(--tw-shadow-color),0 8px 24px var(--tw-shadow-color);box-shadow:var(--tw-ring-offset-shadow,0 0 #0000),var(--tw-ring-shadow,0 0 #0000),var(--tw-shadow)}.eyebrow{margin-bottom:.375rem;font-size:.75rem;line-height:1rem;font-weight:700;text-transform:uppercase;letter-spacing:.05em;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.hero{padding:3rem 1rem;text-align:center}.feature{display:block;border-radius:14px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(255 255 255/var(--tw-bg-opacity,1));padding:1.25rem;text-align:left;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.feature:hover{--tw-translate-y:-0.125rem;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1));text-decoration-line:none}.feature h3{margin-bottom:.25rem;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1))}.feature p{margin:0;font-size:.875rem;line-height:1.25rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.field{margin-bottom:.875rem}.field label{margin-bottom:.375rem;display:block;font-size:.82rem;font-weight:600;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.input{width:100%;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 249/var(--tw-bg-opacity,1));padding:.625rem .75rem;font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-size:.95rem;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1));transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.input:focus{--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1));outline:2px solid transparent;outline-offset:2px;box-shadow:0 0 0 3px rgba(54,94,237,.14)}.checkbox{margin-top:.25rem;display:flex;align-items:center;gap:.5rem;font-size:.85rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.checkbox input{margin:0;width:auto}.form-links{margin-top:1rem;display:flex;justify-content:space-between;gap:1rem;font-size:.85rem}.btn{cursor:pointer;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 251/var(--tw-bg-opacity,1));padding:.625rem 1rem;font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-size:.92rem;font-weight:600;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1));transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.btn:hover{--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1))}.btn:active{--tw-translate-y:1px;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.btn-primary{--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(54 94 237/var(--tw-bg-opacity,1));--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity,1))}.btn-primary:hover{--tw-bg-opacity:1;background-color:rgb(42 78 209/var(--tw-bg-opacity,1))}.btn-ghost{background-color:transparent}.btn-row{margin-top:1rem;display:flex;flex-wrap:wrap;gap:.625rem}.meta-list{margin:0;list-style-type:none;padding:0}.meta-list li{display:flex;justify-content:space-between;gap:1rem;border-bottom-width:1px;--tw-border-opacity:1;border-color:rgb(233 237 245/var(--tw-border-opacity,1));padding-top:.5rem;padding-bottom:.5rem;font-size:.9rem}.meta-list li:last-child{border-bottom-width:0}.meta-list .k{--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.meta-list .v{word-break:break-all;text-align:right;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1))}.result-block{margin-top:1rem}.result-block .label{margin-bottom:.375rem;font-size:.78rem;font-weight:700;text-transform:uppercase;letter-spacing:.025em;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}pre.json{margin:0;overflow:auto;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 249/var(--tw-bg-opacity,1));padding:1rem;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.85rem;line-height:1.5}.json .k{color:#0550ae}.json .s{color:#0a7d33}.json .n{color:#b25000}.json .b{color:rgb(54 94 237/var(--tw-text-opacity,1))}.json .b,.json .z{--tw-text-opacity:1}.json .z{color:rgb(91 102 120/var(--tw-text-opacity,1))}.badge{display:inline-block;border-radius:9999px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));padding:.125rem .5rem;font-size:.75rem;line-height:1rem;font-weight:600}.badge.endpoint{border-color:rgba(54,94,237,.4);background-color:rgba(54,94,237,.1);font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;--tw-text-opacity:1;color:rgb(54 94 237/var(--tw-text-opacity,1))}.verdict{display:flex;align-items:center;gap:.875rem;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 251/var(--tw-bg-opacity,1));padding:.625rem 1rem}.verdict-action{border-radius:9999px;padding:.25rem .625rem;font-size:.85rem;font-weight:700;text-transform:uppercase;letter-spacing:.05em}.verdict-score{font-size:.9rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.verdict-allow{border-color:rgba(22,163,74,.4);background-color:rgba(22,163,74,.1)}.verdict-allow .verdict-action{--tw-bg-opacity:1;background-color:rgb(22 163 74/var(--tw-bg-opacity,1));color:#0b1020}.verdict-challenge{border-color:rgba(245,158,11,.4);background-color:rgba(245,158,11,.1)}.verdict-challenge .verdict-action{--tw-bg-opacity:1;background-color:rgb(245 158 11/var(--tw-bg-opacity,1));color:#0b1020}.verdict-deny{border-color:rgba(220,38,38,.4);background-color:rgba(220,38,38,.1)}.verdict-deny .verdict-action{--tw-bg-opacity:1;background-color:rgb(220 38 38/var(--tw-bg-opacity,1));--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity,1))}.signals{margin-top:.625rem;display:flex;flex-wrap:wrap;gap:.375rem}.signals .chip{border-radius:9999px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 249/var(--tw-bg-opacity,1));padding:.125rem .5rem;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.75rem;line-height:1rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}@media (min-width:768px){.md\:grid-cols-\[1\.3fr_1fr\]{grid-template-columns:1.3fr 1fr}} \ No newline at end of file +*,:after,:before{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }::backdrop{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }/*! tailwindcss v3.4.19 | MIT License | https://tailwindcss.com*/*,:after,:before{box-sizing:border-box;border:0 solid #e5e7eb}:after,:before{--tw-content:""}:host,html{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type=button]),input:where([type=reset]),input:where([type=submit]){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden=until-found])){display:none}body{min-height:100vh;--tw-bg-opacity:1;background-color:rgb(246 248 252/var(--tw-bg-opacity,1));font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-size:15px;line-height:1.625;color:rgb(15 23 41/var(--tw-text-opacity,1));-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-image:radial-gradient(1200px 600px at 80% -10%,rgba(54,94,237,.12),transparent 60%)}a,body{--tw-text-opacity:1}a{color:rgb(54 94 237/var(--tw-text-opacity,1));text-decoration-line:none}a:hover{text-decoration-line:underline}h1,h2,h3,h4{font-weight:600;line-height:1.25}p{margin-bottom:.75rem}code{border-radius:.25rem;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 251/var(--tw-bg-opacity,1));padding:.125rem .375rem;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.86em}.my-5{margin-top:1.25rem;margin-bottom:1.25rem}.mb-6{margin-bottom:1.5rem}.mt-3{margin-top:.75rem}.mt-4{margin-top:1rem}.mt-6{margin-top:1.5rem}.mt-8{margin-top:2rem}.block{display:block}.inline-block{display:inline-block}.grid{display:grid}.hidden{display:none}.list-decimal{list-style-type:decimal}.items-start{align-items:flex-start}.justify-center{justify-content:center}.gap-4{gap:1rem}.gap-6{gap:1.5rem}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.25rem*var(--tw-space-y-reverse))}.whitespace-pre-wrap{white-space:pre-wrap}.border-border{--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1))}.pl-5{padding-left:1.25rem}.text-\[0\.8rem\]{font-size:.8rem}.text-\[1\.15rem\]{font-size:1.15rem}.text-\[1\.6rem\]{font-size:1.6rem}.text-\[2\.2rem\]{font-size:2.2rem}.text-muted{--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.filter{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.navbar{position:sticky;top:0;z-index:50;flex-wrap:wrap;gap:1.5rem;border-bottom-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));padding:.875rem 1.5rem;background:hsla(0,0%,100%,.8);-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px)}.brand,.navbar{display:flex;align-items:center}.brand{gap:.5rem;font-size:1.05rem;font-weight:700;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1))}.brand:hover{text-decoration-line:none}.brand-logo{height:1.4rem;width:1.4rem;flex-shrink:0;--tw-text-opacity:1;color:rgb(54 94 237/var(--tw-text-opacity,1));filter:drop-shadow(0 0 8px rgba(54,94,237,.35))}.brand-logo-lg{height:3rem;width:3rem}.nav-links{margin-left:auto;display:flex;flex-wrap:wrap;align-items:center;gap:1.25rem}.nav-links a{font-size:.92rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.nav-links a:hover{--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1));text-decoration-line:none}.tag{border-radius:9999px;border-width:1px;border-color:rgba(54,94,237,.4);background-color:rgba(54,94,237,.1);padding:.125rem .5rem;font-size:.75rem;line-height:1rem;font-weight:600;--tw-text-opacity:1;color:rgb(54 94 237/var(--tw-text-opacity,1))}.container-page{margin-left:auto;margin-right:auto;max-width:1120px;padding:2rem 1.5rem 4rem}.card{border-radius:14px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(255 255 255/var(--tw-bg-opacity,1));padding:1.5rem;--tw-shadow:0 1px 3px rgba(16,24,40,.06),0 8px 24px rgba(16,24,40,.06);--tw-shadow-colored:0 1px 3px var(--tw-shadow-color),0 8px 24px var(--tw-shadow-color);box-shadow:var(--tw-ring-offset-shadow,0 0 #0000),var(--tw-ring-shadow,0 0 #0000),var(--tw-shadow)}.eyebrow{margin-bottom:.375rem;font-size:.75rem;line-height:1rem;font-weight:700;text-transform:uppercase;letter-spacing:.05em;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.hero{padding:3rem 1rem;text-align:center}.feature{display:block;border-radius:14px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(255 255 255/var(--tw-bg-opacity,1));padding:1.25rem;text-align:left;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.feature:hover{--tw-translate-y:-0.125rem;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y));--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1));text-decoration-line:none}.feature h3{margin-bottom:.25rem;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1))}.feature p{margin:0;font-size:.875rem;line-height:1.25rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.field{margin-bottom:.875rem}.field label{margin-bottom:.375rem;display:block;font-size:.82rem;font-weight:600;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.input{width:100%;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 249/var(--tw-bg-opacity,1));padding:.625rem .75rem;font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-size:.95rem;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1));transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.input:focus{--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1));outline:2px solid transparent;outline-offset:2px;box-shadow:0 0 0 3px rgba(54,94,237,.14)}.checkbox{margin-top:.25rem;display:flex;align-items:center;gap:.5rem;font-size:.85rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.checkbox input{margin:0;width:auto}.form-links{margin-top:1rem;display:flex;justify-content:space-between;gap:1rem;font-size:.85rem}.btn{cursor:pointer;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 251/var(--tw-bg-opacity,1));padding:.625rem 1rem;font-family:Inter,ui-sans-serif,system-ui,sans-serif;font-size:.92rem;font-weight:600;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1));transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.btn:hover{--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1))}.btn:active{--tw-translate-y:1px;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.btn-primary{--tw-border-opacity:1;border-color:rgb(54 94 237/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(54 94 237/var(--tw-bg-opacity,1));--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity,1))}.btn-primary:hover{--tw-bg-opacity:1;background-color:rgb(42 78 209/var(--tw-bg-opacity,1))}.btn-ghost{background-color:transparent}.btn-row{margin-top:1rem;display:flex;flex-wrap:wrap;gap:.625rem}.meta-list{margin:0;list-style-type:none;padding:0}.meta-list li{display:flex;justify-content:space-between;gap:1rem;border-bottom-width:1px;--tw-border-opacity:1;border-color:rgb(233 237 245/var(--tw-border-opacity,1));padding-top:.5rem;padding-bottom:.5rem;font-size:.9rem}.meta-list li:last-child{border-bottom-width:0}.meta-list .k{--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.meta-list .v{word-break:break-all;text-align:right;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;--tw-text-opacity:1;color:rgb(15 23 41/var(--tw-text-opacity,1))}.result-block{margin-top:1rem}.result-block .label{margin-bottom:.375rem;font-size:.78rem;font-weight:700;text-transform:uppercase;letter-spacing:.025em;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}pre.json{margin:0;overflow:auto;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 249/var(--tw-bg-opacity,1));padding:1rem;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.85rem;line-height:1.5}.json .k{color:#0550ae}.json .s{color:#0a7d33}.json .n{color:#b25000}.json .b{color:rgb(54 94 237/var(--tw-text-opacity,1))}.json .b,.json .z{--tw-text-opacity:1}.json .z{color:rgb(91 102 120/var(--tw-text-opacity,1))}.badge{display:inline-block;border-radius:9999px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));padding:.125rem .5rem;font-size:.75rem;line-height:1rem;font-weight:600}.badge.endpoint{border-color:rgba(54,94,237,.4);background-color:rgba(54,94,237,.1);font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;--tw-text-opacity:1;color:rgb(54 94 237/var(--tw-text-opacity,1))}.verdict{display:flex;align-items:center;gap:.875rem;border-radius:9px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 251/var(--tw-bg-opacity,1));padding:.625rem 1rem}.verdict-action{border-radius:9999px;padding:.25rem .625rem;font-size:.85rem;font-weight:700;text-transform:uppercase;letter-spacing:.05em}.verdict-score{font-size:.9rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}.verdict-allow{border-color:rgba(22,163,74,.4);background-color:rgba(22,163,74,.1)}.verdict-allow .verdict-action{--tw-bg-opacity:1;background-color:rgb(22 163 74/var(--tw-bg-opacity,1));color:#0b1020}.verdict-challenge{border-color:rgba(245,158,11,.4);background-color:rgba(245,158,11,.1)}.verdict-challenge .verdict-action{--tw-bg-opacity:1;background-color:rgb(245 158 11/var(--tw-bg-opacity,1));color:#0b1020}.verdict-deny{border-color:rgba(220,38,38,.4);background-color:rgba(220,38,38,.1)}.verdict-deny .verdict-action{--tw-bg-opacity:1;background-color:rgb(220 38 38/var(--tw-bg-opacity,1));--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity,1))}.signals{margin-top:.625rem;display:flex;flex-wrap:wrap;gap:.375rem}.signals .chip{border-radius:9999px;border-width:1px;--tw-border-opacity:1;border-color:rgb(221 227 238/var(--tw-border-opacity,1));--tw-bg-opacity:1;background-color:rgb(238 242 249/var(--tw-bg-opacity,1));padding:.125rem .5rem;font-family:ui-monospace,SFMono-Regular,Menlo,Consolas,monospace;font-size:.75rem;line-height:1rem;--tw-text-opacity:1;color:rgb(91 102 120/var(--tw-text-opacity,1))}@media (min-width:768px){.md\:grid-cols-\[1\.3fr_1fr\]{grid-template-columns:1.3fr 1fr}} \ No newline at end of file diff --git a/test/app.test.js b/test/app.test.js index 76f5660..44fbbfe 100644 --- a/test/app.test.js +++ b/test/app.test.js @@ -1,7 +1,7 @@ 'use strict'; const request = require('supertest'); -const { Castle, APIError } = require('@castleio/sdk'); +const { Castle, APIError, WebhookVerificationError } = require('@castleio/sdk'); const { buildApp } = require('../app'); // Non-secret demo identity used across the tests. @@ -65,7 +65,7 @@ describe('page routes', () => { expect(res.text).not.toContain('/vendor/castle-js/castle.browser.js'); }); - test.each(['signup', 'password_reset', 'lists', 'privacy'])( + test.each(['signup', 'password_reset', 'lists', 'privacy', 'webhooks'])( 'GET /%s renders', async (name) => { const res = await request(app).get('/' + name); @@ -295,3 +295,41 @@ describe('account-level APIs', () => { expect(res.body.result.error).toMatch(/401/); }); }); + +describe('webhooks', () => { + test('a verified webhook is stored and listed', async () => { + const castle = stubbedCastle(); + jest.spyOn(castle, 'verifyWebhookSignature').mockReturnValue(undefined); + const app = buildApp(castle); + + const post = await request(app) + .post('/webhooks/castle') + .set('X-Castle-Signature', 'valid') + .send({ type: 'review.opened', data: { id: 'rev_1' } }); + + expect(post.status).toBe(204); + expect(castle.verifyWebhookSignature).toHaveBeenCalledTimes(1); + + const list = await request(app).get('/webhooks'); + expect(list.status).toBe(200); + expect(list.text).toContain('review.opened'); + }); + + test('a webhook that fails verification is rejected with a 404', async () => { + const castle = stubbedCastle(); + jest.spyOn(castle, 'verifyWebhookSignature').mockImplementation(() => { + throw new WebhookVerificationError('Invalid signature'); + }); + const app = buildApp(castle); + + const res = await request(app) + .post('/webhooks/castle') + .set('X-Castle-Signature', 'bad') + .send({ type: 'review.opened' }); + + expect(res.status).toBe(404); + + const list = await request(app).get('/webhooks'); + expect(list.text).toContain('No webhooks received yet.'); + }); +}); diff --git a/views/webhooks.pug b/views/webhooks.pug new file mode 100644 index 0000000..575c8f7 --- /dev/null +++ b/views/webhooks.pug @@ -0,0 +1,26 @@ +extends demo + +block ui + p This page lists the most recent webhooks Castle has delivered to this app. Each one is signature-verified before it is stored. + .field + label receiver endpoint + input.input(type="text" value=webhook_endpoint readonly onclick="this.select()") + .btn-row + a.btn(href="/webhooks") Refresh + if webhooks_received && webhooks_received.length + each wh in webhooks_received + .result-block.mt-4 + .label ##{wh.id} · #{wh.received_at} + pre(class="whitespace-pre-wrap text-[0.8rem]")= JSON.stringify(wh.body, null, 2) + else + p.text-muted.mt-4 No webhooks received yet. + +block desc + p Point a webhook at + code= " " + webhook_endpoint + | from the Castle dashboard (Settings → Webhooks). Incoming requests are verified with + code verifyWebhookSignature + | against the + code X-Castle-Signature + | header; anything that fails verification gets a 404. + p Because this demo runs on localhost, Castle needs a public tunnel (e.g. ngrok) to reach the receiver.