MailKite.Webhook (MailKite v0.13.0)

Copy Markdown View Source

Verify inbound webhook signatures and build control-mode reply bodies.

Everything here is local — no network call. verify_webhook/4 is an HMAC-SHA256 check over the raw request body; the reply_* helpers return the exact JSON strings a webhook handler returns to acknowledge or control an event.

Summary

Functions

Tell MailKite to block the sender: {"status":"ok","actions":[{"type":"block-sender"}]}.

Tell MailKite to drop (discard) the message: {"status":"drop"}.

Acknowledge an event: the JSON string {"status":"ok"}.

Tell MailKite to mark the message as spam: {"status":"spam"}.

Report whether signature (the x-mailkite-signature header, t=…,v1=…) is valid for payload (the raw, unparsed request body) under secret.

Functions

reply_block_sender()

@spec reply_block_sender() :: String.t()

Tell MailKite to block the sender: {"status":"ok","actions":[{"type":"block-sender"}]}.

reply_drop()

@spec reply_drop() :: String.t()

Tell MailKite to drop (discard) the message: {"status":"drop"}.

reply_ok()

@spec reply_ok() :: String.t()

Acknowledge an event: the JSON string {"status":"ok"}.

reply_spam()

@spec reply_spam() :: String.t()

Tell MailKite to mark the message as spam: {"status":"spam"}.

verify_webhook(signature, payload, secret, tolerance_ms \\ 300_000)

@spec verify_webhook(String.t() | nil, String.t(), String.t(), integer()) :: boolean()

Report whether signature (the x-mailkite-signature header, t=…,v1=…) is valid for payload (the raw, unparsed request body) under secret.

Rejects events older than tolerance_ms milliseconds (default 5 minutes) to block replays; pass 0 to disable the freshness check. Uses a constant-time comparison.