event_id = request.headers.fetch('X-Event-Id')
timestamp = request.headers.fetch('X-Signature-Timestamp').to_i
raise ActionController::BadRequest, 'stale request' if Time.now.to_i - timestamp > 300
raise ActionController::BadRequest, 'replay detected' if WebhookEvent.exists?(external_id: event_id)
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'https://app.example.com', 'https://admin.example.com'
resource '/api/*',
headers: %w[Authorization Content-Type],
methods: %i[get post patch delete options],