@bunnyapp/api-client 3.1.0 → 3.2.1

package/README.md

@@ -377,35 +377,46 @@ When Bunny sends a webhook request it includes a `x-bunny-signature` header whic
 
 Bunny will provide a signing token which you will need to store in your application and use for validating the webhook.
 
+> **Important:** You must pass the **raw request body** to `validate`, not the parsed `req.body`. The HMAC signature is computed against the exact bytes Bunny sent. If you pass a parsed and re-serialised body, characters like `&`, `<`, and `>` may be encoded differently, causing validation to fail.
+
+Use `express.raw()` (or equivalent) to capture the raw body before any JSON parsing:
+
 **TypeScript:**
 
 ```typescript
-interface WebhookRequest {
-  headers: {
-    "x-bunny-signature": string;
-  };
-  body: unknown;
-}
+import express from "express";
 
-const signature: string = req.headers["x-bunny-signature"];
-const payload: unknown = req.body;
-const signingToken: string = "<secret signing token>";
+// Mount raw body middleware on your webhook route
+app.use("/webhook", express.raw({ type: "application/json" }));
 
-const valid: boolean = bunny.webhooks.validate(
-  signature,
-  payload,
-  signingToken
-);
+app.post("/webhook", (req, res) => {
+  const signature: string = req.headers["x-bunny-signature"] as string;
+  const rawBody: Buffer = req.body; // Buffer of exact bytes from the wire
+  const signingToken: string = "<secret signing token>";
+
+  const valid: boolean = bunny.webhooks.validate(
+    signature,
+    rawBody,
+    signingToken
+  );
+});
 ```
 
 **JavaScript:**
 
 ```javascript
-const signature = req.headers["x-bunny-signature"];
-const payload = req.body;
-const signingToken = "<secret signing token>";
+const express = require("express");
+
+// Mount raw body middleware on your webhook route
+app.use("/webhook", express.raw({ type: "application/json" }));
 
-const valid = bunny.webhooks.validate(signature, payload, signingToken);
+app.post("/webhook", (req, res) => {
+  const signature = req.headers["x-bunny-signature"];
+  const rawBody = req.body; // Buffer of exact bytes from the wire
+  const signingToken = "<secret signing token>";
+
+  const valid = bunny.webhooks.validate(signature, rawBody, signingToken);
+});
 ```
 
 ## Test

package/dist/webhooks.d.ts

@@ -1,7 +1,8 @@
+import { Buffer } from 'buffer';
 declare class Webhooks {
     private signingToken;
     constructor(signingToken?: string | null);
-    validate(signature: string, payload: unknown, signingToken?: string | null): boolean;
+    validate(signature: string, payload: string | Buffer, signingToken?: string | null): boolean;
 }
 export default Webhooks;
 //# sourceMappingURL=webhooks.d.ts.map

package/dist/webhooks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"webhooks.d.ts","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":"AAGA,cAAM,QAAQ;IACZ,OAAO,CAAC,YAAY,CAAgB;gBAExB,YAAY,GAAE,MAAM,GAAG,IAAW;IAI9C,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,GAAE,MAAM,GAAG,IAAW,GAAG,OAAO;CAsB3F;AAED,eAAe,QAAQ,CAAC"}
+{"version":3,"file":"webhooks.d.ts","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC,cAAM,QAAQ;IACZ,OAAO,CAAC,YAAY,CAAgB;gBAExB,YAAY,GAAE,MAAM,GAAG,IAAW;IAI9C,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,YAAY,GAAE,MAAM,GAAG,IAAW,GAAG,OAAO;CAsBnG;AAED,eAAe,QAAQ,CAAC"}

package/dist/webhooks.js

@@ -16,7 +16,7 @@ class Webhooks {
         }
         const payloadSignature = crypto_1.default
             .createHmac('sha1', key)
-            .update(JSON.stringify(payload))
+            .update(payload)
             .digest('hex');
         const ps = buffer_1.Buffer.from(payloadSignature, 'hex');
         const s = buffer_1.Buffer.from(signature, 'hex');

package/dist/webhooks.js.map

@@ -1 +1 @@
-{"version":3,"file":"webhooks.js","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":";;;;;AAAA,oDAA4B;AAC5B,mCAAgC;AAEhC,MAAM,QAAQ;IAGZ,YAAY,eAA8B,IAAI;QAC5C,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,QAAQ,CAAC,SAAiB,EAAE,OAAgB,EAAE,eAA8B,IAAI;QAC9E,MAAM,GAAG,GAAG,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC;QAE9C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,gBAAgB,GAAG,gBAAM;aAC5B,UAAU,CAAC,MAAM,EAAE,GAAG,CAAC;aACvB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;aAC/B,MAAM,CAAC,KAAK,CAAC,CAAC;QAEjB,MAAM,EAAE,GAAG,eAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,CAAC,GAAG,eAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAExC,uDAAuD;QACvD,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;YAC3B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,gBAAM,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC;CACF;AAED,kBAAe,QAAQ,CAAC"}
+{"version":3,"file":"webhooks.js","sourceRoot":"","sources":["../src/webhooks.ts"],"names":[],"mappings":";;;;;AAAA,oDAA4B;AAC5B,mCAAgC;AAEhC,MAAM,QAAQ;IAGZ,YAAY,eAA8B,IAAI;QAC5C,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED,QAAQ,CAAC,SAAiB,EAAE,OAAwB,EAAE,eAA8B,IAAI;QACtF,MAAM,GAAG,GAAG,YAAY,IAAI,IAAI,CAAC,YAAY,CAAC;QAE9C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,gBAAgB,GAAG,gBAAM;aAC5B,UAAU,CAAC,MAAM,EAAE,GAAG,CAAC;aACvB,MAAM,CAAC,OAAO,CAAC;aACf,MAAM,CAAC,KAAK,CAAC,CAAC;QAEjB,MAAM,EAAE,GAAG,eAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,CAAC,GAAG,eAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAExC,uDAAuD;QACvD,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;YAC3B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,gBAAM,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC;CACF;AAED,kBAAe,QAAQ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bunnyapp/api-client",
-  "version": "3.1.0",
+  "version": "3.2.1",
   "description": "Node.js client for Bunny CRM",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",