Add signature validation

[anthonychu]

It looks like the current sample is vulnerable to spoofing. The function should validate the signature on every request: https://azure.github.io/azure-webpubsub/references/protocol-cloudevents.html#web-pubsub-service-atrribute-extension

chatr/api/eventHandler/index.js

Line 43 in 67e1241

const userId = req.headers['ce-userid']

[benc-uk]

Good catch, this is probably one of the downsides of using my own HTTP trigger rather than the Function extensions & bindings/triggers for Web PubSub
But I couldn't find a way to get them to work in a Static Web App

I'll see if I can tighten this up

[anthonychu]

I think it’s totally valid to use your own http function. There’ll be an input binding that will do this work for you that should be available in a few months to simplify this a lot.

In the meantime it would be great to update this sample in case someone copies it. Maybe just adding a comment near that userId line that indicates this is missing would be helpful. Thanks for putting this together!