// /webhooks/rail
export async function POST(req: Request) {
const body = await req.text();
// ... verificar firma (ver guía Webhooks)
const event = JSON.parse(body);
if (event.type === 'refresh_intent.requires_mfa') {
const intent = event.data;
// Guarda el widget_token asociado al user
await db.from('pending_mfa').insert({
user_id: getUserIdFromLink(intent.link_id),
intent_id: intent.id,
widget_token: intent.requires_mfa.widget_token,
expires_at: intent.requires_mfa.expires_at,
});
// Notifica al frontend (WebSocket, push, etc)
await notifyUser(intent.link_id, 'mfa_required');
}
if (event.type === 'refresh_intent.succeeded') {
await db.from('pending_mfa').delete().eq('intent_id', event.data.id);
await notifyUser(event.data.link_id, 'sync_complete');
}
if (event.type === 'refresh_intent.failed') {
await db.from('pending_mfa').delete().eq('intent_id', event.data.id);
await notifyUser(event.data.link_id, 'sync_failed', event.data.error_code);
}
return new Response('ok');
}