1ce5d9150d
Both POST /:did/webhooks and DELETE /:did/webhooks were unauthenticated: anyone could register a webhook for someone else's DID (privacy leak) or wipe a DID's webhook list (DoS on legitimate subscribers). Now both endpoints require a Bluesky session bearer token, verified end-to-end against the DID's PDS via the existing authenticateRequest helper, and the verified DID must match the URL :did.
5.3 KiB
5.3 KiB