@blokjs/trigger-webhook 0.6.17 → 0.6.19

package/src/verifiers.test.ts

@@ -1,316 +0,0 @@
-/**
- * Verifier unit tests — one suite per built-in provider plus the
- * custom HMAC builder. Each suite covers: happy-path verification,
- * signature mismatch, missing signature header, and (for providers
- * with timestamp-bound signing) clock drift rejection.
- */
-
-import { createHmac } from "node:crypto";
-import { describe, expect, it } from "vitest";
-
-import {
-	buildCustomVerifier,
-	githubVerifier,
-	shopifyVerifier,
-	slackVerifier,
-	stripeVerifier,
-	svixVerifier,
-} from "./verifiers";
-
-const SECRET = "shhh-its-a-secret-1234567890";
-
-function nowSec(): number {
-	return Math.floor(Date.now() / 1000);
-}
-
-function hmacHex(data: string, secret = SECRET): string {
-	return createHmac("sha256", secret).update(data).digest("hex");
-}
-
-function hmacBase64(data: string, secret = SECRET): string {
-	return createHmac("sha256", secret).update(data).digest("base64");
-}
-
-describe("githubVerifier", () => {
-	const body = JSON.stringify({ ref: "refs/heads/main", action: "opened" });
-
-	it("accepts a valid X-Hub-Signature-256 over rawBody", () => {
-		const result = githubVerifier.verify({
-			headers: {
-				"x-hub-signature-256": `sha256=${hmacHex(body)}`,
-				"x-github-event": "push",
-				"x-github-delivery": "delivery-uuid-1",
-			},
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(true);
-		if (result.ok) {
-			expect(result.eventId).toBe("delivery-uuid-1");
-			expect(result.eventType).toBe("push");
-		}
-	});
-
-	it("rejects on signature mismatch", () => {
-		const result = githubVerifier.verify({
-			headers: { "x-hub-signature-256": "sha256=deadbeef" },
-			rawBody: body,
-			parsedBody: {},
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("signature_mismatch");
-	});
-
-	it("rejects when X-Hub-Signature-256 header is missing", () => {
-		const result = githubVerifier.verify({
-			headers: {},
-			rawBody: body,
-			parsedBody: {},
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("missing_signature");
-	});
-});
-
-describe("stripeVerifier", () => {
-	const body = JSON.stringify({ id: "evt_123", type: "invoice.paid" });
-
-	it("accepts a valid Stripe-Signature within tolerance", () => {
-		const ts = String(nowSec());
-		const sig = hmacHex(`${ts}.${body}`);
-		const result = stripeVerifier.verify({
-			headers: { "stripe-signature": `t=${ts},v1=${sig}` },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(true);
-		if (result.ok) {
-			expect(result.eventId).toBe("evt_123");
-			expect(result.eventType).toBe("invoice.paid");
-		}
-	});
-
-	it("rejects timestamps outside the tolerance window", () => {
-		const ts = String(nowSec() - 10_000);
-		const sig = hmacHex(`${ts}.${body}`);
-		const result = stripeVerifier.verify({
-			headers: { "stripe-signature": `t=${ts},v1=${sig}` },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("timestamp_drift");
-	});
-
-	it("rejects on signature mismatch", () => {
-		const ts = String(nowSec());
-		const result = stripeVerifier.verify({
-			headers: { "stripe-signature": `t=${ts},v1=ffffffff` },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("signature_mismatch");
-	});
-
-	it("rejects when t= or v1= component is missing", () => {
-		const result = stripeVerifier.verify({
-			headers: { "stripe-signature": "v1=abc" },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("bad_format");
-	});
-});
-
-describe("slackVerifier", () => {
-	const body = JSON.stringify({ event: { type: "message" }, event_id: "Ev123" });
-
-	it("accepts a valid X-Slack-Signature", () => {
-		const ts = String(nowSec());
-		const sig = `v0=${hmacHex(`v0:${ts}:${body}`)}`;
-		const result = slackVerifier.verify({
-			headers: {
-				"x-slack-signature": sig,
-				"x-slack-request-timestamp": ts,
-			},
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(true);
-		if (result.ok) {
-			expect(result.eventId).toBe("Ev123");
-			expect(result.eventType).toBe("message");
-		}
-	});
-
-	it("rejects when X-Slack-Request-Timestamp header is missing", () => {
-		const result = slackVerifier.verify({
-			headers: { "x-slack-signature": "v0=abc" },
-			rawBody: body,
-			parsedBody: {},
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("missing_timestamp");
-	});
-});
-
-describe("shopifyVerifier", () => {
-	const body = JSON.stringify({ id: 999, line_items: [] });
-
-	it("accepts a valid base64 X-Shopify-Hmac-Sha256", () => {
-		const result = shopifyVerifier.verify({
-			headers: {
-				"x-shopify-hmac-sha256": hmacBase64(body),
-				"x-shopify-topic": "orders/create",
-				"x-shopify-webhook-id": "shopify-webhook-1",
-			},
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(true);
-		if (result.ok) {
-			expect(result.eventId).toBe("shopify-webhook-1");
-			expect(result.eventType).toBe("orders/create");
-		}
-	});
-
-	it("rejects on signature mismatch", () => {
-		const result = shopifyVerifier.verify({
-			headers: { "x-shopify-hmac-sha256": "deadbeef==" },
-			rawBody: body,
-			parsedBody: {},
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("signature_mismatch");
-	});
-});
-
-describe("svixVerifier (Standard Webhooks)", () => {
-	const body = JSON.stringify({ type: "user.created", data: { id: "user_42" } });
-	// Svix expects the secret base64-decoded — encode our test secret first.
-	const svixSecret = Buffer.from(SECRET).toString("base64");
-
-	it("accepts a valid webhook-signature (v1 scheme)", () => {
-		const webhookId = "msg_abc";
-		const webhookTs = String(nowSec());
-		const signed = `${webhookId}.${webhookTs}.${body}`;
-		const expected = createHmac("sha256", Buffer.from(svixSecret, "base64")).update(signed).digest("base64");
-		const result = svixVerifier.verify({
-			headers: {
-				"webhook-id": webhookId,
-				"webhook-timestamp": webhookTs,
-				"webhook-signature": `v1,${expected}`,
-			},
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: svixSecret,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(true);
-		if (result.ok) {
-			expect(result.eventId).toBe(webhookId);
-			expect(result.eventType).toBe("user.created");
-		}
-	});
-
-	it("rejects when any of the three headers is missing", () => {
-		const result = svixVerifier.verify({
-			headers: { "webhook-id": "msg", "webhook-timestamp": String(nowSec()) },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: svixSecret,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("missing_signature");
-	});
-});
-
-describe("buildCustomVerifier (custom signature scheme)", () => {
-	const body = JSON.stringify({ type: "ping" });
-
-	it("accepts a valid signature with `{hex}` format placeholder", () => {
-		const verifier = buildCustomVerifier({
-			scheme: "hmac-sha256",
-			header: "X-Acme-Signature",
-			format: "sha256={hex}",
-			secretEnv: "ACME_SECRET",
-			tolerance: 300,
-		});
-		const result = verifier.verify({
-			headers: { "x-acme-signature": `sha256=${hmacHex(body)}` },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(true);
-	});
-
-	it("accepts a valid signature with timestamp + tolerance", () => {
-		const verifier = buildCustomVerifier({
-			scheme: "hmac-sha256",
-			header: "X-Acme-Signature",
-			format: "{hex}",
-			secretEnv: "ACME_SECRET",
-			tolerance: 300,
-			timestampHeader: "X-Acme-Timestamp",
-		});
-		const ts = String(nowSec());
-		const sig = hmacHex(`${ts}.${body}`);
-		const result = verifier.verify({
-			headers: { "x-acme-signature": sig, "x-acme-timestamp": ts },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 300,
-		});
-		expect(result.ok).toBe(true);
-	});
-
-	it("rejects when timestamp drifts beyond tolerance", () => {
-		const verifier = buildCustomVerifier({
-			scheme: "hmac-sha256",
-			header: "X-Acme-Signature",
-			format: "{hex}",
-			secretEnv: "ACME_SECRET",
-			tolerance: 60,
-			timestampHeader: "X-Acme-Timestamp",
-		});
-		const ts = String(nowSec() - 600);
-		const sig = hmacHex(`${ts}.${body}`);
-		const result = verifier.verify({
-			headers: { "x-acme-signature": sig, "x-acme-timestamp": ts },
-			rawBody: body,
-			parsedBody: JSON.parse(body),
-			secret: SECRET,
-			toleranceSec: 60,
-		});
-		expect(result.ok).toBe(false);
-		if (!result.ok) expect(result.reason).toBe("timestamp_drift");
-	});
-});

package/src/verifiers.ts

@@ -1,357 +0,0 @@
-/**
- * Webhook signature verifiers — one strategy per supported provider.
- *
- * Each verifier reads the raw request bytes (NOT the JSON-parsed body)
- * and the provider-specific signature header, computes the expected
- * HMAC against a shared secret, and constant-time compares. On match,
- * returns `{ ok: true, eventId, eventType }`. On mismatch / missing
- * header / drift, returns `{ ok: false, reason, message }`.
- *
- * Constant-time comparison via `crypto.timingSafeEqual` is mandatory —
- * a naive `===` compare leaks the expected HMAC byte by byte through
- * timing variance and a network-adjacent attacker can recover the
- * secret in ~256 requests per byte.
- *
- * Built-in providers + their signature shapes:
- *
- *   - **github**:    `X-Hub-Signature-256: sha256=<hex>` over rawBody.
- *                    Event id from `X-GitHub-Delivery`; event type
- *                    from `X-GitHub-Event` header.
- *   - **stripe**:    `Stripe-Signature: t=<ts>,v1=<hex>` over
- *                    `<ts>.<rawBody>` with a 5-minute drift window.
- *                    Event id + type from body.id / body.type.
- *   - **slack**:     `X-Slack-Signature: v0=<hex>` over
- *                    `v0:<X-Slack-Request-Timestamp>:<rawBody>` with a
- *                    5-minute drift window. Event type from
- *                    body.event.type; event id from body.event_id.
- *   - **shopify**:   `X-Shopify-Hmac-Sha256: <base64>` over rawBody.
- *                    Event type from `X-Shopify-Topic`; event id from
- *                    `X-Shopify-Webhook-Id`.
- *   - **svix**:      Standard Webhooks. `webhook-signature:
- *                    v1,<base64>` over `<webhook-id>.<webhook-timestamp>.<rawBody>`
- *                    with a 5-minute drift window. Event id from
- *                    `webhook-id`; event type from body.type.
- *
- * Custom (unknown provider) verifier is built dynamically by
- * `buildCustomVerifier()` from the workflow's `signature` config.
- */
-
-import { createHmac, timingSafeEqual } from "node:crypto";
-
-/** Successful verification result — workflow may proceed. */
-export interface VerifyOk {
-	ok: true;
-	/** Provider-specific event id (used for replay-protection cache key). */
-	eventId: string;
-	/** Provider-specific event type (used for the allowlist check). */
-	eventType: string;
-}
-
-/** Verification failure — trigger returns 401 with structured reason. */
-export interface VerifyError {
-	ok: false;
-	/** Stable discriminator — log/alert dashboards branch on this. */
-	reason:
-		| "missing_signature"
-		| "missing_timestamp"
-		| "missing_secret"
-		| "bad_format"
-		| "timestamp_drift"
-		| "signature_mismatch";
-	/** Human-readable error message. Safe to surface to the sender. */
-	message: string;
-}
-
-export type VerifyResult = VerifyOk | VerifyError;
-
-/** Inputs every verifier receives. */
-export interface VerifyInput {
-	headers: Record<string, string>;
-	rawBody: string;
-	parsedBody: unknown;
-	secret: string;
-	toleranceSec: number;
-}
-
-export interface Verifier {
-	verify(input: VerifyInput): VerifyResult;
-}
-
-const DEFAULT_TOLERANCE_SEC = 300;
-
-function safeEqualString(a: string, b: string): boolean {
-	const aBuf = Buffer.from(a);
-	const bBuf = Buffer.from(b);
-	if (aBuf.length !== bBuf.length) return false;
-	return timingSafeEqual(aBuf, bBuf);
-}
-
-function hmacHex(algo: "sha256" | "sha1" | "sha512", secret: string, data: string): string {
-	return createHmac(algo, secret).update(data).digest("hex");
-}
-
-function hmacBase64(algo: "sha256" | "sha1" | "sha512", secret: string, data: string): string {
-	return createHmac(algo, secret).update(data).digest("base64");
-}
-
-function isWithinTolerance(timestampSec: number, toleranceSec: number): boolean {
-	const nowSec = Math.floor(Date.now() / 1000);
-	return Math.abs(nowSec - timestampSec) <= toleranceSec;
-}
-
-function getEventTypeFromBody(parsedBody: unknown, key = "type"): string | undefined {
-	if (!parsedBody || typeof parsedBody !== "object") return undefined;
-	const value = (parsedBody as Record<string, unknown>)[key];
-	return typeof value === "string" ? value : undefined;
-}
-
-// =============================================================================
-// Built-in providers
-// =============================================================================
-
-export const githubVerifier: Verifier = {
-	verify({ headers, rawBody, secret }) {
-		if (!secret) return { ok: false, reason: "missing_secret", message: "GitHub: secret not configured" };
-		const sig = headers["x-hub-signature-256"];
-		if (!sig) return { ok: false, reason: "missing_signature", message: "GitHub: X-Hub-Signature-256 header missing" };
-		const expected = `sha256=${hmacHex("sha256", secret, rawBody)}`;
-		if (!safeEqualString(sig, expected)) {
-			return { ok: false, reason: "signature_mismatch", message: "GitHub: signature mismatch" };
-		}
-		return {
-			ok: true,
-			eventId: headers["x-github-delivery"] ?? "",
-			eventType: headers["x-github-event"] ?? "unknown",
-		};
-	},
-};
-
-export const stripeVerifier: Verifier = {
-	verify({ headers, rawBody, parsedBody, secret, toleranceSec }) {
-		if (!secret) return { ok: false, reason: "missing_secret", message: "Stripe: secret not configured" };
-		const sig = headers["stripe-signature"];
-		if (!sig) return { ok: false, reason: "missing_signature", message: "Stripe: Stripe-Signature header missing" };
-
-		// Format: t=1234567890,v1=<hex>,v0=<hex>,...
-		const parts = Object.fromEntries(
-			sig
-				.split(",")
-				.map((p) => p.trim())
-				.map((p) => {
-					const idx = p.indexOf("=");
-					return idx === -1 ? [p, ""] : [p.slice(0, idx), p.slice(idx + 1)];
-				}),
-		);
-		const ts = parts.t;
-		const v1 = parts.v1;
-		if (!ts || !v1) {
-			return {
-				ok: false,
-				reason: "bad_format",
-				message: "Stripe: signature missing t= or v1= component",
-			};
-		}
-		const tsNum = Number.parseInt(ts, 10);
-		if (!Number.isFinite(tsNum)) {
-			return { ok: false, reason: "bad_format", message: "Stripe: t= is not numeric" };
-		}
-		if (!isWithinTolerance(tsNum, toleranceSec || DEFAULT_TOLERANCE_SEC)) {
-			return {
-				ok: false,
-				reason: "timestamp_drift",
-				message: `Stripe: timestamp drift exceeds ${toleranceSec || DEFAULT_TOLERANCE_SEC}s tolerance`,
-			};
-		}
-		const expected = hmacHex("sha256", secret, `${ts}.${rawBody}`);
-		if (!safeEqualString(v1, expected)) {
-			return { ok: false, reason: "signature_mismatch", message: "Stripe: signature mismatch" };
-		}
-		const eventId = (parsedBody as { id?: unknown } | null)?.id;
-		const eventType = getEventTypeFromBody(parsedBody);
-		return {
-			ok: true,
-			eventId: typeof eventId === "string" ? eventId : "",
-			eventType: eventType ?? "unknown",
-		};
-	},
-};
-
-export const slackVerifier: Verifier = {
-	verify({ headers, rawBody, parsedBody, secret, toleranceSec }) {
-		if (!secret) return { ok: false, reason: "missing_secret", message: "Slack: secret not configured" };
-		const sig = headers["x-slack-signature"];
-		if (!sig) return { ok: false, reason: "missing_signature", message: "Slack: X-Slack-Signature header missing" };
-		const ts = headers["x-slack-request-timestamp"];
-		if (!ts) {
-			return {
-				ok: false,
-				reason: "missing_timestamp",
-				message: "Slack: X-Slack-Request-Timestamp header missing",
-			};
-		}
-		const tsNum = Number.parseInt(ts, 10);
-		if (!Number.isFinite(tsNum)) {
-			return { ok: false, reason: "bad_format", message: "Slack: timestamp is not numeric" };
-		}
-		if (!isWithinTolerance(tsNum, toleranceSec || DEFAULT_TOLERANCE_SEC)) {
-			return {
-				ok: false,
-				reason: "timestamp_drift",
-				message: `Slack: timestamp drift exceeds ${toleranceSec || DEFAULT_TOLERANCE_SEC}s tolerance`,
-			};
-		}
-		const expected = `v0=${hmacHex("sha256", secret, `v0:${ts}:${rawBody}`)}`;
-		if (!safeEqualString(sig, expected)) {
-			return { ok: false, reason: "signature_mismatch", message: "Slack: signature mismatch" };
-		}
-		const event = (parsedBody as { event?: { type?: unknown }; event_id?: unknown } | null) ?? {};
-		const eventType = typeof event.event?.type === "string" ? event.event.type : "unknown";
-		const eventId = typeof event.event_id === "string" ? event.event_id : "";
-		return { ok: true, eventId, eventType };
-	},
-};
-
-export const shopifyVerifier: Verifier = {
-	verify({ headers, rawBody, secret }) {
-		if (!secret) return { ok: false, reason: "missing_secret", message: "Shopify: secret not configured" };
-		const sig = headers["x-shopify-hmac-sha256"];
-		if (!sig) {
-			return { ok: false, reason: "missing_signature", message: "Shopify: X-Shopify-Hmac-Sha256 header missing" };
-		}
-		const expected = hmacBase64("sha256", secret, rawBody);
-		if (!safeEqualString(sig, expected)) {
-			return { ok: false, reason: "signature_mismatch", message: "Shopify: signature mismatch" };
-		}
-		return {
-			ok: true,
-			eventId: headers["x-shopify-webhook-id"] ?? "",
-			eventType: headers["x-shopify-topic"] ?? "unknown",
-		};
-	},
-};
-
-export const svixVerifier: Verifier = {
-	verify({ headers, rawBody, parsedBody, secret, toleranceSec }) {
-		if (!secret) return { ok: false, reason: "missing_secret", message: "Svix: secret not configured" };
-		const webhookId = headers["webhook-id"];
-		const webhookTs = headers["webhook-timestamp"];
-		const webhookSig = headers["webhook-signature"];
-		if (!webhookId || !webhookTs || !webhookSig) {
-			return {
-				ok: false,
-				reason: "missing_signature",
-				message: "Svix/Standard Webhooks: missing webhook-id, webhook-timestamp, or webhook-signature header",
-			};
-		}
-		const tsNum = Number.parseInt(webhookTs, 10);
-		if (!Number.isFinite(tsNum)) {
-			return { ok: false, reason: "bad_format", message: "Svix: webhook-timestamp is not numeric" };
-		}
-		if (!isWithinTolerance(tsNum, toleranceSec || DEFAULT_TOLERANCE_SEC)) {
-			return {
-				ok: false,
-				reason: "timestamp_drift",
-				message: `Svix: timestamp drift exceeds ${toleranceSec || DEFAULT_TOLERANCE_SEC}s tolerance`,
-			};
-		}
-		const signed = `${webhookId}.${webhookTs}.${rawBody}`;
-		// Strip optional `whsec_` prefix Svix recommends for secrets.
-		const rawSecret = secret.startsWith("whsec_") ? secret.slice("whsec_".length) : secret;
-		// Svix encodes the secret as base64 — decode before HMAC.
-		const secretBuf = Buffer.from(rawSecret, "base64");
-		const expected = createHmac("sha256", secretBuf).update(signed).digest("base64");
-		// webhook-signature may include multiple versions: `v1,base64 v1,base64 ...`
-		const sigs = webhookSig.split(" ").map((s) => {
-			const idx = s.indexOf(",");
-			return idx === -1 ? s : s.slice(idx + 1);
-		});
-		const matched = sigs.some((s) => safeEqualString(s, expected));
-		if (!matched) {
-			return { ok: false, reason: "signature_mismatch", message: "Svix: signature mismatch" };
-		}
-		return {
-			ok: true,
-			eventId: webhookId,
-			eventType: getEventTypeFromBody(parsedBody) ?? "unknown",
-		};
-	},
-};
-
-// =============================================================================
-// Custom verifier — built from the workflow's `signature: { ... }` config
-// =============================================================================
-
-export interface CustomSignatureConfig {
-	scheme: "hmac-sha256" | "hmac-sha1" | "hmac-sha512";
-	header: string;
-	format: string;
-	secretEnv: string;
-	tolerance: number;
-	timestampHeader?: string;
-}
-
-export function buildCustomVerifier(config: CustomSignatureConfig): Verifier {
-	const algo: "sha256" | "sha1" | "sha512" =
-		config.scheme === "hmac-sha1" ? "sha1" : config.scheme === "hmac-sha512" ? "sha512" : "sha256";
-	const headerLower = config.header.toLowerCase();
-	const tsHeaderLower = config.timestampHeader?.toLowerCase();
-
-	return {
-		verify({ headers, rawBody, parsedBody, secret, toleranceSec }) {
-			if (!secret) return { ok: false, reason: "missing_secret", message: `${config.header}: secret not configured` };
-			const sig = headers[headerLower];
-			if (!sig) {
-				return { ok: false, reason: "missing_signature", message: `${config.header}: header missing` };
-			}
-
-			let signedString = rawBody;
-			if (tsHeaderLower) {
-				const ts = headers[tsHeaderLower];
-				if (!ts) {
-					return {
-						ok: false,
-						reason: "missing_timestamp",
-						message: `${config.timestampHeader}: header missing`,
-					};
-				}
-				const tsNum = Number.parseInt(ts, 10);
-				if (!Number.isFinite(tsNum)) {
-					return {
-						ok: false,
-						reason: "bad_format",
-						message: `${config.timestampHeader}: not numeric`,
-					};
-				}
-				if (!isWithinTolerance(tsNum, toleranceSec || config.tolerance)) {
-					return {
-						ok: false,
-						reason: "timestamp_drift",
-						message: `Timestamp drift exceeds ${toleranceSec || config.tolerance}s tolerance`,
-					};
-				}
-				signedString = `${ts}.${rawBody}`;
-			}
-
-			const hex = hmacHex(algo, secret, signedString);
-			const base64 = hmacBase64(algo, secret, signedString);
-			const expected = config.format.replace("{hex}", hex).replace("{base64}", base64);
-
-			if (!safeEqualString(sig, expected)) {
-				return { ok: false, reason: "signature_mismatch", message: `${config.header}: signature mismatch` };
-			}
-			return {
-				ok: true,
-				eventId: "",
-				eventType: getEventTypeFromBody(parsedBody) ?? "unknown",
-			};
-		},
-	};
-}
-
-export const BUILTIN_VERIFIERS: Record<string, Verifier> = {
-	github: githubVerifier,
-	stripe: stripeVerifier,
-	slack: slackVerifier,
-	shopify: shopifyVerifier,
-	svix: svixVerifier,
-};

package/tsconfig.json

@@ -1,32 +0,0 @@
-{
-	"ts-node": {
-		"transpileOnly": true
-	},
-	"compilerOptions": {
-		"target": "ES2022",
-		"module": "es2022",
-		"lib": ["ES2022"],
-		"declaration": true,
-		"strict": true,
-		"noImplicitAny": true,
-		"strictNullChecks": true,
-		"noImplicitThis": true,
-		"alwaysStrict": true,
-		"noUnusedLocals": false,
-		"noUnusedParameters": false,
-		"noImplicitReturns": true,
-		"noFallthroughCasesInSwitch": false,
-		"inlineSourceMap": true,
-		"inlineSources": true,
-		"experimentalDecorators": true,
-		"emitDecoratorMetadata": true,
-		"skipLibCheck": true,
-		"esModuleInterop": true,
-		"resolveJsonModule": true,
-		"outDir": "./dist",
-		"rootDir": "./src",
-		"moduleResolution": "bundler"
-	},
-	"include": ["src/**/*"],
-	"exclude": ["node_modules", "dist", "**/*.test.ts"]
-}