@blaxel/core 0.2.52-preview.126 → 0.2.52

package/dist/esm/common/settings.js

@@ -7,7 +7,7 @@ function getPackageVersion() {
         if (typeof require !== "undefined") {
             // Try to require package.json (Node.js only, gracefully fails in browser)
             // eslint-disable-next-line @typescript-eslint/no-require-imports
-            const packageJson = {"version":"0.2.52-preview.126","commit":"807fffa3fcd34b9d1e080282743f22122e024c84"};
+            const packageJson = {"version":"0.2.52","commit":"4acd7b5efa6c9e04c5131f55e7a87029c4889b1d"};
             return packageJson.version || "unknown";
         }
         else {
@@ -59,7 +59,7 @@ function getCommitHash() {
         if (typeof require !== "undefined") {
             // Try to require package.json and look for commit field (set during build)
             // eslint-disable-next-line @typescript-eslint/no-require-imports
-            const packageJson = {"version":"0.2.52-preview.126","commit":"807fffa3fcd34b9d1e080282743f22122e024c84"};
+            const packageJson = {"version":"0.2.52","commit":"4acd7b5efa6c9e04c5131f55e7a87029c4889b1d"};
             // Check for commit in various possible locations
             const commit = packageJson.commit || packageJson.buildInfo?.commit;
             if (commit) {

package/dist/esm/common/webhook.js

@@ -0,0 +1,97 @@
+import { createHmac, timingSafeEqual } from 'crypto';
+/**
+ * Verify the HMAC-SHA256 signature of a webhook callback from async-sidecar
+ *
+ * @example
+ * ```typescript
+ * import { verifyWebhookSignature } from '@blaxel/core';
+ *
+ * // In your Express endpoint
+ * app.post('/webhook', express.text({ type: 'application/json' }), (req, res) => {
+ *   const isValid = verifyWebhookSignature({
+ *     body: req.body,
+ *     signature: req.headers['x-blaxel-signature'] as string,
+ *     secret: process.env.CALLBACK_SECRET!
+ *   });
+ *
+ *   if (!isValid) {
+ *     return res.status(401).json({ error: 'Invalid signature' });
+ *   }
+ *
+ *   const data = JSON.parse(req.body);
+ *   // Process callback...
+ * });
+ * ```
+ *
+ * @param options - Verification options
+ * @returns true if the signature is valid, false otherwise
+ */
+export function verifyWebhookSignature(options) {
+    const { body, signature, secret, timestamp, maxAge = 300 } = options;
+    if (!body || !signature || !secret) {
+        return false;
+    }
+    try {
+        // Verify timestamp if provided (prevents replay attacks)
+        if (timestamp) {
+            const requestTime = parseInt(timestamp, 10);
+            const currentTime = Math.floor(Date.now() / 1000);
+            const age = Math.abs(currentTime - requestTime);
+            if (isNaN(requestTime) || age > maxAge) {
+                return false;
+            }
+        }
+        // Extract hex signature from "sha256=<hex>" format
+        const expectedSignature = signature.replace('sha256=', '');
+        // Compute HMAC-SHA256 signature
+        const hmac = createHmac('sha256', secret);
+        hmac.update(body);
+        const computedSignature = hmac.digest('hex');
+        // Timing-safe comparison to prevent timing attacks
+        return timingSafeEqual(Buffer.from(expectedSignature, 'hex'), Buffer.from(computedSignature, 'hex'));
+    }
+    catch {
+        // Invalid signature format or other error
+        return false;
+    }
+}
+/**
+ * Helper to verify webhook from Express request object
+ *
+ * @example
+ * ```typescript
+ * import { verifyWebhookFromRequest } from '@blaxel/core';
+ * import express from 'express';
+ *
+ * app.use(express.text({ type: 'application/json' }));
+ *
+ * app.post('/webhook', (req, res) => {
+ *   if (!verifyWebhookFromRequest(req, process.env.CALLBACK_SECRET!)) {
+ *     return res.status(401).json({ error: 'Invalid signature' });
+ *   }
+ *
+ *   const data = JSON.parse(req.body);
+ *   console.log('Received callback:', data);
+ *   res.json({ received: true });
+ * });
+ * ```
+ *
+ * @param request - Express request object (must use express.text() middleware)
+ * @param secret - The callback secret
+ * @param maxAge - Optional maximum age in seconds (default: 300)
+ * @returns true if the signature is valid, false otherwise
+ */
+export function verifyWebhookFromRequest(request, secret, maxAge) {
+    const signature = request.headers['x-blaxel-signature'];
+    const timestamp = request.headers['x-blaxel-timestamp'];
+    if (typeof signature !== 'string') {
+        return false;
+    }
+    return verifyWebhookSignature({
+        body: request.body,
+        signature,
+        secret,
+        timestamp: typeof timestamp === 'string' ? timestamp : undefined,
+        maxAge
+    });
+}

package/dist/esm/index.js

@@ -8,6 +8,7 @@ export * from "./common/errors.js";
 export * from "./common/internal.js";
 export * from "./common/logger.js";
 export * from "./common/settings.js";
+export * from "./common/webhook.js";
 export * from "./jobs/index.js";
 export * from "./mcp/index.js";
 export * from "./models/index.js";