Recommended pattern for plugins that need to verify signed webhook bodies (Slack/Stripe/GitHub etc.)?

[shinobiworks]

Context

I'm building a plugin that receives Slack webhooks. Slack signs each request with HMAC-SHA256 computed over "v0:" + timestamp + ":" + rawBodyBytes, and the receiver must verify this signature using the exact bytes Slack sent. This is a standard pattern for any signed webhook source (Slack, Stripe, GitHub, Linear, Discord, etc.).

What I observed

Looking at EmDashRuntime.handlePluginApiRoute in dist/astro/middleware.mjs, the framework calls await request.json() before invoking the route handler. This consumes the body stream, so my handler cannot call ctx.request.text() to read the raw bytes (it throws TypeError: Body has already been used, which gets caught and returned as 500 INTERNAL_ERROR "Plugin route error").

The route context provides ctx.input (parsed JSON) but not the raw body string. I checked the RouteContext type and the PluginRoute interface for an opt-out flag or rawBody accessor and didn't find one.

Question

Is there an intended pattern for plugins to access the raw request body for signature verification? Or is this a use case EmDash currently doesn't cover?

I'm currently working around it with a patches/ override that adds ctx.rawBody (5-line patch across middleware.mjs / search-.mjs / types-.d.mts), but I'd prefer to use a supported API if one exists or could be added.

EmDash version

0.12.0