@astrasyncai/verification-gateway 2.1.0 → 2.2.3

package/dist/webhooks.mjs

@@ -0,0 +1,55 @@
+// src/webhooks.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var DEFAULT_TOLERANCE_SECONDS = 300;
+function parseSignatureHeader(header) {
+  const parts = {};
+  for (const segment of header.split(",")) {
+    const [k, v] = segment.split("=");
+    if (k === "t" || k === "v1") parts[k] = v;
+  }
+  return parts;
+}
+function computeHmac(secret, signedPayload) {
+  return createHmac("sha256", secret).update(signedPayload, "utf8").digest("hex");
+}
+function constantTimeEquals(a, b) {
+  const aBuf = Buffer.from(a, "utf8");
+  const bBuf = Buffer.from(b, "utf8");
+  if (aBuf.length !== bBuf.length) return false;
+  return timingSafeEqual(aBuf, bBuf);
+}
+function verifyAstraSyncWebhook(rawBody, headers, secret, options = {}) {
+  if (!secret) return { ok: false, reason: "no_secret_provided" };
+  const rawHeader = headers["x-astrasync-signature"] ?? headers["X-Astrasync-Signature"] ?? headers["X-AstraSync-Signature"] ?? headers["X-ASTRASYNC-SIGNATURE"];
+  if (!rawHeader) return { ok: false, reason: "missing_signature_header" };
+  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;
+  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);
+  if (!timestamp || !receivedSignature) {
+    return { ok: false, reason: "malformed_signature_header" };
+  }
+  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;
+  const now = options.nowMs ?? Date.now();
+  const tsSeconds = Number(timestamp);
+  if (!Number.isFinite(tsSeconds)) {
+    return { ok: false, reason: "invalid_timestamp" };
+  }
+  const ageSeconds = Math.abs(now / 1e3 - tsSeconds);
+  if (ageSeconds > tolerance) {
+    return { ok: false, reason: "timestamp_outside_tolerance" };
+  }
+  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);
+  if (!constantTimeEquals(expectedSignature, receivedSignature)) {
+    return { ok: false, reason: "signature_mismatch" };
+  }
+  return { ok: true };
+}
+function signAstraSyncWebhook(rawBody, secret, nowMs = Date.now()) {
+  const timestamp = Math.floor(nowMs / 1e3);
+  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);
+  return { header: `t=${timestamp},v1=${v1}`, timestamp };
+}
+export {
+  signAstraSyncWebhook,
+  verifyAstraSyncWebhook
+};
+//# sourceMappingURL=webhooks.mjs.map

package/dist/webhooks.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/webhooks.ts"],"sourcesContent":["/**\n * AstraSync webhook signature verification.\n *\n * AstraSync signs every webhook delivery with HMAC-SHA256 over\n * `${unix_timestamp}.${rawBody}` using the merchant's webhook secret\n * (returned ONCE at endpoint registration). The signature is sent in\n * the `X-AstraSync-Signature` header in the form:\n *\n *   X-AstraSync-Signature: t=<unix-ts>,v1=<hex-hmac>\n *\n * This pattern mirrors Stripe's `Stripe-Signature` to ease adoption.\n *\n * Usage:\n *   import { verifyAstraSyncWebhook } from '@astrasyncai/verification-gateway/webhooks';\n *\n *   app.post('/webhooks/astrasync', express.raw({type:'application/json'}), (req, res) => {\n *     const result = verifyAstraSyncWebhook(req.body.toString('utf8'), req.headers, secret);\n *     if (!result.ok) return res.status(401).json({error: result.reason});\n *     // ... process event\n *   });\n */\n\nimport { createHmac, timingSafeEqual } from 'crypto';\n\nexport interface VerifyWebhookOptions {\n  /**\n   * Maximum age (seconds) for the signature timestamp. Older deliveries\n   * are rejected as replays. Default 300 (5 minutes) — matches Stripe.\n   */\n  toleranceSeconds?: number;\n  /**\n   * Override \"now\" for tests. Defaults to Date.now().\n   */\n  nowMs?: number;\n}\n\nexport interface VerifyWebhookResult {\n  ok: boolean;\n  reason?: string;\n}\n\nconst DEFAULT_TOLERANCE_SECONDS = 300;\n\nfunction parseSignatureHeader(header: string): { t?: string; v1?: string } {\n  const parts: { t?: string; v1?: string } = {};\n  for (const segment of header.split(',')) {\n    const [k, v] = segment.split('=');\n    if (k === 't' || k === 'v1') parts[k] = v;\n  }\n  return parts;\n}\n\nfunction computeHmac(secret: string, signedPayload: string): string {\n  return createHmac('sha256', secret).update(signedPayload, 'utf8').digest('hex');\n}\n\nfunction constantTimeEquals(a: string, b: string): boolean {\n  const aBuf = Buffer.from(a, 'utf8');\n  const bBuf = Buffer.from(b, 'utf8');\n  if (aBuf.length !== bBuf.length) return false;\n  return timingSafeEqual(aBuf, bBuf);\n}\n\n/**\n * Verify an AstraSync-issued webhook delivery.\n *\n * @param rawBody - The raw request body as a string (NOT the parsed JSON).\n *                  Use `express.raw({type:'application/json'})` to preserve bytes.\n * @param headers - Incoming request headers (case-insensitive).\n * @param secret  - The merchant's webhook secret from endpoint registration.\n * @param options - Optional tolerance overrides.\n * @returns       - `{ok: true}` on success, `{ok: false, reason}` on failure.\n */\nexport function verifyAstraSyncWebhook(\n  rawBody: string,\n  headers: Record<string, string | string[] | undefined>,\n  secret: string,\n  options: VerifyWebhookOptions = {}\n): VerifyWebhookResult {\n  if (!secret) return { ok: false, reason: 'no_secret_provided' };\n\n  // Header lookup is case-insensitive — support common variants.\n  const rawHeader =\n    headers['x-astrasync-signature'] ??\n    headers['X-Astrasync-Signature'] ??\n    headers['X-AstraSync-Signature'] ??\n    headers['X-ASTRASYNC-SIGNATURE'];\n  if (!rawHeader) return { ok: false, reason: 'missing_signature_header' };\n\n  const headerValue = Array.isArray(rawHeader) ? rawHeader[0] : rawHeader;\n  const { t: timestamp, v1: receivedSignature } = parseSignatureHeader(headerValue);\n  if (!timestamp || !receivedSignature) {\n    return { ok: false, reason: 'malformed_signature_header' };\n  }\n\n  const tolerance = options.toleranceSeconds ?? DEFAULT_TOLERANCE_SECONDS;\n  const now = options.nowMs ?? Date.now();\n  const tsSeconds = Number(timestamp);\n  if (!Number.isFinite(tsSeconds)) {\n    return { ok: false, reason: 'invalid_timestamp' };\n  }\n  const ageSeconds = Math.abs(now / 1000 - tsSeconds);\n  if (ageSeconds > tolerance) {\n    return { ok: false, reason: 'timestamp_outside_tolerance' };\n  }\n\n  const expectedSignature = computeHmac(secret, `${timestamp}.${rawBody}`);\n  if (!constantTimeEquals(expectedSignature, receivedSignature)) {\n    return { ok: false, reason: 'signature_mismatch' };\n  }\n\n  return { ok: true };\n}\n\n/**\n * Server-side companion: produce an `X-AstraSync-Signature` header value for\n * an outbound webhook delivery. Exposed for completeness and for test\n * harnesses that want to verify the verifier; the AstraSync platform itself\n * uses an internal version of the same logic.\n */\nexport function signAstraSyncWebhook(\n  rawBody: string,\n  secret: string,\n  nowMs: number = Date.now()\n): { header: string; timestamp: number } {\n  const timestamp = Math.floor(nowMs / 1000);\n  const v1 = computeHmac(secret, `${timestamp}.${rawBody}`);\n  return { header: `t=${timestamp},v1=${v1}`, timestamp };\n}\n"],"mappings":";AAsBA,SAAS,YAAY,uBAAuB;AAmB5C,IAAM,4BAA4B;AAElC,SAAS,qBAAqB,QAA6C;AACzE,QAAM,QAAqC,CAAC;AAC5C,aAAW,WAAW,OAAO,MAAM,GAAG,GAAG;AACvC,UAAM,CAAC,GAAG,CAAC,IAAI,QAAQ,MAAM,GAAG;AAChC,QAAI,MAAM,OAAO,MAAM,KAAM,OAAM,CAAC,IAAI;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,SAAS,YAAY,QAAgB,eAA+B;AAClE,SAAO,WAAW,UAAU,MAAM,EAAE,OAAO,eAAe,MAAM,EAAE,OAAO,KAAK;AAChF;AAEA,SAAS,mBAAmB,GAAW,GAAoB;AACzD,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,QAAM,OAAO,OAAO,KAAK,GAAG,MAAM;AAClC,MAAI,KAAK,WAAW,KAAK,OAAQ,QAAO;AACxC,SAAO,gBAAgB,MAAM,IAAI;AACnC;AAYO,SAAS,uBACd,SACA,SACA,QACA,UAAgC,CAAC,GACZ;AACrB,MAAI,CAAC,OAAQ,QAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAG9D,QAAM,YACJ,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB,KAC/B,QAAQ,uBAAuB;AACjC,MAAI,CAAC,UAAW,QAAO,EAAE,IAAI,OAAO,QAAQ,2BAA2B;AAEvE,QAAM,cAAc,MAAM,QAAQ,SAAS,IAAI,UAAU,CAAC,IAAI;AAC9D,QAAM,EAAE,GAAG,WAAW,IAAI,kBAAkB,IAAI,qBAAqB,WAAW;AAChF,MAAI,CAAC,aAAa,CAAC,mBAAmB;AACpC,WAAO,EAAE,IAAI,OAAO,QAAQ,6BAA6B;AAAA,EAC3D;AAEA,QAAM,YAAY,QAAQ,oBAAoB;AAC9C,QAAM,MAAM,QAAQ,SAAS,KAAK,IAAI;AACtC,QAAM,YAAY,OAAO,SAAS;AAClC,MAAI,CAAC,OAAO,SAAS,SAAS,GAAG;AAC/B,WAAO,EAAE,IAAI,OAAO,QAAQ,oBAAoB;AAAA,EAClD;AACA,QAAM,aAAa,KAAK,IAAI,MAAM,MAAO,SAAS;AAClD,MAAI,aAAa,WAAW;AAC1B,WAAO,EAAE,IAAI,OAAO,QAAQ,8BAA8B;AAAA,EAC5D;AAEA,QAAM,oBAAoB,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACvE,MAAI,CAAC,mBAAmB,mBAAmB,iBAAiB,GAAG;AAC7D,WAAO,EAAE,IAAI,OAAO,QAAQ,qBAAqB;AAAA,EACnD;AAEA,SAAO,EAAE,IAAI,KAAK;AACpB;AAQO,SAAS,qBACd,SACA,QACA,QAAgB,KAAK,IAAI,GACc;AACvC,QAAM,YAAY,KAAK,MAAM,QAAQ,GAAI;AACzC,QAAM,KAAK,YAAY,QAAQ,GAAG,SAAS,IAAI,OAAO,EAAE;AACxD,SAAO,EAAE,QAAQ,KAAK,SAAS,OAAO,EAAE,IAAI,UAAU;AACxD;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@astrasyncai/verification-gateway",
-  "version": "2.1.0",
+  "version": "2.2.3",
   "description": "Universal Verification Gateway for AstraSync KYA Platform - verify AI agents across any counterparty type",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -75,6 +75,11 @@
       "types": "./dist/git-trigger/git-hooks.d.ts",
       "import": "./dist/git-trigger/git-hooks.mjs",
       "require": "./dist/git-trigger/git-hooks.js"
+    },
+    "./webhooks": {
+      "types": "./dist/webhooks.d.ts",
+      "import": "./dist/webhooks.mjs",
+      "require": "./dist/webhooks.js"
     }
   },
   "files": [
@@ -112,12 +117,12 @@
     "@sd-jwt/core": "^0.19.0",
     "@sd-jwt/decode": "^0.19.0",
     "@sd-jwt/utils": "^0.19.0",
+    "@x402/core": "^2.10.0",
     "ajv": "^8.17.1",
     "http-message-signatures": "^1.0.5",
-    "structured-headers": "^2.0.1",
     "jose": "^5.9.6",
     "mppx": "0.5.13",
-    "@x402/core": "^2.10.0",
+    "structured-headers": "^2.0.1",
     "web-bot-auth": "^0.1.3"
   },
   "peerDependencies": {