@catandbox/schrodinger-web-adapter 0.1.27 → 0.1.32

package/dist/server/shopifyAuth.js

@@ -0,0 +1,179 @@
+export class ShopifyAuthError extends Error {
+    code;
+    status;
+    constructor(code, message, status = 401) {
+        super(message);
+        this.name = "ShopifyAuthError";
+        this.code = code;
+        this.status = status;
+    }
+}
+export function extractShopifySessionToken(request) {
+    const authHeader = request.headers.get("Authorization");
+    if (authHeader?.startsWith("Bearer ")) {
+        return authHeader.slice("Bearer ".length).trim();
+    }
+    const fallbackHeader = request.headers.get("X-Shopify-Session-Token") ??
+        request.headers.get("x-shopify-session-token");
+    return fallbackHeader?.trim() || null;
+}
+export async function createPrincipalContext(request, options) {
+    const token = extractShopifySessionToken(request);
+    if (!token) {
+        throw new ShopifyAuthError("MISSING_SHOPIFY_SESSION_TOKEN", "Missing Shopify session token");
+    }
+    const payload = await verifyShopifySessionToken(token, options);
+    const shopDomain = inferShopDomain(payload);
+    const principalExternalId = inferPrincipalExternalId(payload);
+    const displayName = asOptionalString(payload.user_name) ?? null;
+    const email = asOptionalString(payload.user_email) ?? asOptionalString(payload.email) ?? null;
+    return {
+        tenantExternalId: shopDomain,
+        principalExternalId,
+        displayName,
+        email,
+        shopDomain,
+        tokenPayload: payload
+    };
+}
+export async function verifyShopifySessionToken(token, options) {
+    const [headerPart, payloadPart, signaturePart] = token.split(".");
+    if (!headerPart || !payloadPart || !signaturePart) {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Invalid JWT format");
+    }
+    const headerJson = decodeBase64UrlToText(headerPart);
+    const header = parseJson(headerJson, "Invalid JWT header");
+    if (header.alg !== "HS256") {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Unsupported JWT alg");
+    }
+    const expectedSignature = await hmacSha256Base64Url(options.shopifyApiSecret, `${headerPart}.${payloadPart}`);
+    if (!timingSafeEqual(expectedSignature, signaturePart)) {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "JWT signature mismatch");
+    }
+    const payloadJson = decodeBase64UrlToText(payloadPart);
+    const payload = parseJson(payloadJson, "Invalid JWT payload");
+    validateTemporalClaims(payload, options);
+    validateAudience(payload, options.shopifyApiKey);
+    return payload;
+}
+export async function verifyShopifyWebhookHmac(input) {
+    if (!input.hmacHeader) {
+        return false;
+    }
+    const expected = await hmacSha256Base64(input.shopifyApiSecret, input.rawBody);
+    return timingSafeEqual(expected, input.hmacHeader.trim());
+}
+function validateTemporalClaims(payload, options) {
+    const now = options.now ? options.now() : Math.floor(Date.now() / 1000);
+    const skew = options.clockSkewSeconds ?? 10;
+    if (typeof payload.exp !== "number") {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Missing exp claim");
+    }
+    if (payload.exp + skew < now) {
+        throw new ShopifyAuthError("EXPIRED_SHOPIFY_SESSION_TOKEN", "Shopify session token is expired");
+    }
+    if (typeof payload.nbf === "number" && payload.nbf - skew > now) {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Shopify session token is not active yet");
+    }
+    if (typeof payload.iat === "number" && payload.iat - skew > now) {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Shopify session token iat is in the future");
+    }
+}
+function validateAudience(payload, apiKey) {
+    const aud = payload.aud;
+    if (!aud) {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Missing aud claim");
+    }
+    if (typeof aud === "string") {
+        if (aud !== apiKey) {
+            throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Shopify session token audience mismatch");
+        }
+        return;
+    }
+    if (Array.isArray(aud) && aud.includes(apiKey)) {
+        return;
+    }
+    throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Shopify session token audience mismatch");
+}
+function inferShopDomain(payload) {
+    const destination = asOptionalString(payload.dest);
+    if (destination) {
+        try {
+            const url = new URL(destination);
+            return normalizeShopDomain(url.hostname);
+        }
+        catch {
+            return normalizeShopDomain(destination);
+        }
+    }
+    const issuer = asOptionalString(payload.iss);
+    if (issuer) {
+        try {
+            const url = new URL(issuer);
+            return normalizeShopDomain(url.hostname);
+        }
+        catch {
+            // continue
+        }
+    }
+    throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Unable to infer Shopify shop domain");
+}
+function inferPrincipalExternalId(payload) {
+    const candidate = asOptionalString(payload.sub) ??
+        asOptionalString(payload.user_email) ??
+        asOptionalString(payload.email);
+    if (!candidate) {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Unable to infer principal identifier from Shopify session token");
+    }
+    return candidate;
+}
+function normalizeShopDomain(domainLike) {
+    const normalized = domainLike
+        .trim()
+        .toLowerCase()
+        .replace(/^https?:\/\//, "")
+        .replace(/\/.*$/, "");
+    if (!normalized || !normalized.includes(".")) {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", "Invalid Shopify shop domain in token");
+    }
+    return normalized;
+}
+function parseJson(value, message) {
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        throw new ShopifyAuthError("INVALID_SHOPIFY_SESSION_TOKEN", message, 401);
+    }
+}
+function decodeBase64UrlToText(input) {
+    const normalized = input.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = `${normalized}${"=".repeat((4 - (normalized.length % 4)) % 4)}`;
+    return atob(padded);
+}
+async function hmacSha256Base64Url(secret, value) {
+    const base64 = await hmacSha256Base64(secret, value);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function hmacSha256Base64(secret, value) {
+    const key = await crypto.subtle.importKey("raw", new TextEncoder().encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const signature = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(value));
+    let binary = "";
+    for (const byte of new Uint8Array(signature)) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary);
+}
+function timingSafeEqual(left, right) {
+    if (left.length !== right.length) {
+        return false;
+    }
+    let mismatch = 0;
+    for (let index = 0; index < left.length; index += 1) {
+        mismatch |= left.charCodeAt(index) ^ right.charCodeAt(index);
+    }
+    return mismatch === 0;
+}
+function asOptionalString(value) {
+    return typeof value === "string" && value.trim() ? value.trim() : null;
+}

package/dist/server/signing.d.ts

@@ -0,0 +1,18 @@
+import { type SignedHeaders } from "../signer";
+import type { AdapterEnvironment } from "./types";
+interface SignSchrodingerRequestInput {
+    env: Pick<AdapterEnvironment, "schAppId" | "schKeyId" | "schSecret">;
+    method: string;
+    path: string;
+    query?: URLSearchParams | string;
+    body?: unknown;
+    timestamp?: number;
+    nonce?: string;
+}
+interface SignedSchrodingerRequest {
+    headers: SignedHeaders;
+    rawBody: string;
+    queryString: string;
+}
+export declare function signSchrodingerRequest(input: SignSchrodingerRequestInput): Promise<SignedSchrodingerRequest>;
+export {};

package/dist/server/signing.js

@@ -0,0 +1,25 @@
+import { signRequest } from "../signer";
+export async function signSchrodingerRequest(input) {
+    const queryString = typeof input.query === "string" ? input.query : input.query ? input.query.toString() : "";
+    const rawBody = input.body === undefined
+        ? ""
+        : typeof input.body === "string"
+            ? input.body
+            : JSON.stringify(input.body);
+    const headers = await signRequest({
+        appId: input.env.schAppId,
+        keyId: input.env.schKeyId,
+        keySecret: input.env.schSecret,
+        timestamp: input.timestamp ?? Math.floor(Date.now() / 1000),
+        nonce: input.nonce ?? crypto.randomUUID(),
+        method: input.method,
+        path: input.path,
+        queryString,
+        rawBody
+    });
+    return {
+        headers,
+        rawBody,
+        queryString
+    };
+}

package/dist/server/types.d.ts

@@ -0,0 +1,60 @@
+export interface ShopifySessionVerificationOptions {
+    shopifyApiKey: string;
+    shopifyApiSecret: string;
+    clockSkewSeconds?: number;
+    now?: () => number;
+}
+export interface PrincipalContext {
+    tenantExternalId: string;
+    principalExternalId: string;
+    displayName: string | null;
+    email: string | null;
+    shopDomain: string;
+    tokenPayload: Record<string, unknown>;
+}
+export interface AdapterEnvironment {
+    schApiBaseUrl: string;
+    schAppId: string;
+    schKeyId: string;
+    schSecret: string;
+    shopifyApiKey: string;
+    shopifyApiSecret: string;
+    schAdminApiToken?: string;
+}
+export interface ProxyHandlerOptions extends AdapterEnvironment {
+    basePath?: string;
+    fetchImpl?: typeof fetch;
+    requestIdFactory?: () => string;
+    principalContextHeaderName?: string;
+}
+export interface PrefillLengthCaps {
+    title: number;
+    category: number;
+    description: number;
+}
+export interface PrefillState {
+    title: string;
+    categoryId: string | null;
+    description: string;
+    errors: {
+        title?: string;
+        category?: string;
+        description?: string;
+    };
+    isValid: boolean;
+}
+export interface PrefillParseOptions {
+    categories: Array<{
+        id: string;
+    }>;
+    caps?: Partial<PrefillLengthCaps>;
+}
+export interface WebhookForwardingOptions extends AdapterEnvironment {
+    fetchImpl?: typeof fetch;
+    requestIdFactory?: () => string;
+    disablePortalAccess?: (input: {
+        shopDomain: string;
+        payload: unknown;
+        topic: string;
+    }) => Promise<void> | void;
+}

package/dist/server/types.js

@@ -0,0 +1 @@
+export {};

package/dist/signer.d.ts

@@ -1,2 +1,29 @@
-export { signRequest, sha256Hex, buildCanonicalString } from "@catandbox/schrodinger-shopify-adapter/signer";
-export type { SignRequestInput, SignedHeaders } from "@catandbox/schrodinger-shopify-adapter/signer";
+export interface SignRequestInput {
+    appId: string;
+    keyId: string;
+    keySecret: string;
+    timestamp: number;
+    nonce: string;
+    method: string;
+    path: string;
+    queryString?: string;
+    rawBody?: string;
+}
+export interface SignedHeaders {
+    "X-Sch-AppId": string;
+    "X-Sch-KeyId": string;
+    "X-Sch-Timestamp": string;
+    "X-Sch-Nonce": string;
+    "Content-SHA256": string;
+    "X-Sch-Signature": string;
+}
+export declare function sha256Hex(rawBody: string): Promise<string>;
+export declare function buildCanonicalString(input: {
+    timestamp: number;
+    nonce: string;
+    method: string;
+    path: string;
+    queryString: string;
+    contentSha256: string;
+}): string;
+export declare function signRequest(input: SignRequestInput): Promise<SignedHeaders>;

package/dist/signer.js

@@ -1 +1,51 @@
-export { signRequest, sha256Hex, buildCanonicalString } from "@catandbox/schrodinger-shopify-adapter/signer";
+const encoder = new TextEncoder();
+function toHex(data) {
+    return Array.from(new Uint8Array(data), (byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+function toBase64Url(data) {
+    let binary = "";
+    for (const byte of new Uint8Array(data)) {
+        binary += String.fromCharCode(byte);
+    }
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+export async function sha256Hex(rawBody) {
+    const digest = await crypto.subtle.digest("SHA-256", encoder.encode(rawBody));
+    return toHex(digest);
+}
+export function buildCanonicalString(input) {
+    return [
+        "v1",
+        String(input.timestamp),
+        input.nonce,
+        input.method.toUpperCase(),
+        input.path,
+        input.queryString,
+        input.contentSha256,
+        ""
+    ].join("\n");
+}
+export async function signRequest(input) {
+    const queryString = input.queryString ?? "";
+    const rawBody = input.rawBody ?? "";
+    const contentSha256 = await sha256Hex(rawBody);
+    const canonical = buildCanonicalString({
+        timestamp: input.timestamp,
+        nonce: input.nonce,
+        method: input.method,
+        path: input.path,
+        queryString,
+        contentSha256
+    });
+    const key = await crypto.subtle.importKey("raw", encoder.encode(input.keySecret), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+    const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(canonical));
+    return {
+        "X-Sch-AppId": input.appId,
+        "X-Sch-KeyId": input.keyId,
+        "X-Sch-Timestamp": String(input.timestamp),
+        "X-Sch-Nonce": input.nonce,
+        "Content-SHA256": contentSha256,
+        "X-Sch-Signature": toBase64Url(signature)
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@catandbox/schrodinger-web-adapter",
-  "version": "0.1.27",
+  "version": "0.1.32",
   "private": false,
   "type": "module",
   "main": "./dist/index.js",
@@ -34,7 +34,6 @@
     "test": "vitest run"
   },
   "dependencies": {
-    "@catandbox/schrodinger-contracts": "^0.1.0",
-    "@catandbox/schrodinger-shopify-adapter": "^0.1.0"
+    "@catandbox/schrodinger-contracts": "^0.1.0"
   }
 }