exports.handler = async ({ payload, headers }) => {
const { createHmac } = require('crypto');
// Create webhook HMAC so that we know if the message comes from the real server.
let computedEventHmac = createHmac('sha256', process.env.SOKETI_SECRET)
.update(JSON.stringify(payload))
// Compute the payload (message) HMAC with the injected secret in the environment variables
// and see if the sent header matches it. If not, the message must have been tampered with and you
// should not process it by any means.
if (typeof headers['X-Pusher-Signature'] === undefined || computedEventHmac !== headers['X-Pusher-Signature']) {
payload.events.forEach(({ name, channel }) => {
if (name === 'channel_occupied') {
console.log(channel + ' is now occupied.');