[GH-ISSUE #590] feat: Add local webhook receiver (asc webhooks serve) #164

New issue

Closed

opened 2026-02-26 21:33:51 +03:00 by kerem · 0 comments

kerem commented 2026-02-26 21:33:51 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Feb 17, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/590

Summary

Add a local webhook receiver so developers can test App Store Connect webhooks and drive automation locally.

Proposed command:

asc webhooks serve [flags]

Why this matters

Today, webhook work is awkward:

• you must deploy a server somewhere to test deliveries
• debugging payloads is slow
• it’s hard to iterate on “when event X happens, run automation Y”

A local receiver makes webhook development fast and scriptable.

Current state (verified)

• asc webhooks management exists (list/create/update/delete, deliveries, redeliver, ping).
• No asc webhooks serve command exists.

Proposed UX

Serve

# Start a local receiver
asc webhooks serve --port 8787

# Write each delivery to a file (one JSON per event)
asc webhooks serve --port 8787 --dir ./webhook-events

# (Optional) execute a command per received event
asc webhooks serve --port 8787 --exec "./scripts/on-webhook.sh"

Flags (proposal):

• --host (default 127.0.0.1)
• --port (default 8787)
• --dir (optional; write events to files, atomic writes, reject symlinks)
• --exec (optional; execute a command with event JSON on stdin)
• --output json|text (default text for “server started”, but payload handling should be JSON)

Notes:

• No interactive prompts.
• Never prints secrets.

Request handling

• Accept POST webhook payloads.
• Always respond quickly with 2xx after validation/parsing.
• Log a one-line summary per event (event type, timestamp, id).

Security / validation

If App Store Connect webhooks support signature/secret validation, add it as opt-in:

• --verify + ASC_WEBHOOK_SECRET (or similar)

If not feasible, still provide best-effort validation:

• JSON parse
• size limits (avoid huge bodies)

Test plan (TDD-first)

• unit tests for handler:
  • parses JSON, enforces size limits
  • file writing is deterministic + safe
  • --exec passes payload on stdin
• cmdtests:
  • --port validation
  • server starts and handles a synthetic POST

Acceptance criteria

• asc webhooks serve --help exists and is self-documenting.
• Events can be written to disk safely and deterministically.
• Optional --exec works without leaking secrets.
• make test passes.

Originally created by @rudrankriyam on GitHub (Feb 17, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/590 ## Summary Add a local webhook receiver so developers can test App Store Connect webhooks and drive automation locally. Proposed command: ```bash asc webhooks serve [flags] ``` ## Why this matters Today, webhook work is awkward: - you must deploy a server somewhere to test deliveries - debugging payloads is slow - it’s hard to iterate on “when event X happens, run automation Y” A local receiver makes webhook development fast and scriptable. ## Current state (verified) - `asc webhooks` management exists (list/create/update/delete, deliveries, redeliver, ping). - No `asc webhooks serve` command exists. ## Proposed UX ### Serve ```bash # Start a local receiver asc webhooks serve --port 8787 # Write each delivery to a file (one JSON per event) asc webhooks serve --port 8787 --dir ./webhook-events # (Optional) execute a command per received event asc webhooks serve --port 8787 --exec "./scripts/on-webhook.sh" ``` Flags (proposal): - `--host` (default `127.0.0.1`) - `--port` (default `8787`) - `--dir` (optional; write events to files, atomic writes, reject symlinks) - `--exec` (optional; execute a command with event JSON on stdin) - `--output json|text` (default text for “server started”, but payload handling should be JSON) Notes: - No interactive prompts. - Never prints secrets. ### Request handling - Accept POST webhook payloads. - Always respond quickly with 2xx after validation/parsing. - Log a one-line summary per event (event type, timestamp, id). ## Security / validation If App Store Connect webhooks support signature/secret validation, add it as *opt-in*: - `--verify` + `ASC_WEBHOOK_SECRET` (or similar) If not feasible, still provide best-effort validation: - JSON parse - size limits (avoid huge bodies) ## Test plan (TDD-first) - [ ] unit tests for handler: - [ ] parses JSON, enforces size limits - [ ] file writing is deterministic + safe - [ ] `--exec` passes payload on stdin - [ ] cmdtests: - [ ] `--port` validation - [ ] server starts and handles a synthetic POST ## Acceptance criteria - [ ] `asc webhooks serve --help` exists and is self-documenting. - [ ] Events can be written to disk safely and deterministically. - [ ] Optional `--exec` works without leaking secrets. - [ ] `make test` passes.

kerem 2026-02-26 21:33:51 +03:00

• closed this issue
• added the
  enhancement
  label

kerem referenced this issue 2026-02-26 21:34:36 +03:00

[PR #170] [MERGED] audit: fix 7 code quality and security issues #332

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#164

No description provided.